Recognizing that, for the most part, security managers and audit teams don't understand the ins and outs of source code, application security largely falls into the laps of development teams. Like a vampire to garlic and crosses, however, most developers have an aversion to security, and view it as a hindrance to their main directives: functionality and speed-to-market.
It's becoming incumbent upon security managers to provide coders with tools and best practices that can be integrated into their development environments and make security transparent in the programming process.
"Without automated tools, it is impossible to discover and remediate all of the important vulnerabilities in new enterprise applications before they are fielded," writes IDC analyst Charles Kolodgy in a December 2006 paper on application security. "The more complex the code, the harder it is to understand, analyze and secure."
IDC expects a growth spurt in the application vulnerability assessment market, forecasting a $287 million market by 2010, doubling from this year's projection of $143 million.
At the end of 2005, for example, Watchfire and SPI Dynamics held close to 50 percent of market share and nearly $35 million of what was then a $69 million market. Watchfire's AppScan and SPI Dynamics' WebInspect tools finished in the top 5 of Information Security magazine's annual 2006 Readers Choice awards. Both scored well detecting and preventing known and unknown attacks and for their ease of installation, configuration and administration.
The two vendor's popular tools and market presence made them obvious acquisition targets. In June, IBM said it would acquire Watchfire and add its technology to its Rational development platform, which provides tools for developers to model, design and build Web-based architectures for SOA, systems and applications. Hewlett-Packard Co. (HP) followed suit, saying it would acquire SPI Dynamics and integrate the vendor's software as a unit in HP's Technology Solutions Group.
With applications becoming dynamic--often making requests on behalf of a user while keeping a page responsive while a request loads in the background--code review teams can't be expected to manually catch programming defects. Toss in the growing interest in sophisticated business-to-business interactions happening with Web services and service-oriented applications, and the complexity grows exponentially. Suddenly, buffer overflows--despite their seriousness and pervasiveness--seem old hat. SQL injections and cross-site scripting are earning equal attention. Input validation is another step that cannot be overlooked.
The ultimate market response is a set of scanning tools that anticipates the problems while not impeding a developers' need to meet delivery schedules.
"Attackers go for what is the easiest thing to attack," said Diana Kelley, vice president with the Burton Group. "The criminalization of attacks on data has made applications a more attractive target."
Some of the contenders in this space like Fortify (used by Oracle to scan its source code), OunceLabs, WhiteHat Security, Klocwork and Beyond Security are combining their scanning engines with management consoles that churn out actionable information and provide for trend reporting over time, make them more enterprise friendly.
False positives and false negatives are also an issue that is improving as scanners become better tuned. Enterprises also expect these tools to analyze code in context of the full application in order to catch potential flaws as the app interacts with other parts of the infrastructure.
IDC says these tools must be ease to update with new rules, and customizable for different enterprise environments. Support for multiple languages, including Java, .NET, C, C# and C++ is a must as legacy apps are finding new life in the standardized Web services, SOA world.
"With application security, enterprises have to think of it as a full lifecycle," Kelley said. "If you try to solve security once an application is released, the horse is out of the gate already and it's too late. There are tools along the way you can use. If companies think about security from the beginning, they'll find the process goes a lot more smoothly."