Two software vendors that aim to foster higher quality software are integrating their suites, bridging software...
quality and application security processes.
Coverity Inc. and Armorize Technologies announced integration plans today. The two vendors plan to release a fully integrated suite that ties together the Coverity Static Analysis, for code analysis, with Armorize's security analysis suite. The two vendors said the combined suites will add security deeper into the software quality process without disrupting coding teams.
In an interview with SearchSecurity.com, Caleb Sima, CEO of Armorize Technologies said the integration puts less strain on developers, who, in some organizations, are forced to use security audit tools. Developers are already burdened with project deadlines, he said. Meanwhile, security teams gain more visibility into the development process gaining tools that enable them to detect high priority vulnerabilities earlier in the process and then track the progress of coders to fix them.
"We're allowing both security and development teams to have their own world," Sima said. "We're not forcing a security guy to log into development console and development guy to log into a security console."
As attackers continue to target software vulnerabilities, more companies are bolstering their software development lifecycles, attempting to inject security deeper into the process. But getting security earlier in the process has been difficult, as development teams are under pressure to get projects in on time, their focus has been to eliminate software defects, not necessarily detect high priority security flaws. Technology has played an important role to scan as much code as possible to detect security vulnerabilities.
More software assessment vendors are trying to broaden their suites with security analysis capabilities, attempting to increase the coverage in the security development lifecycle, said Ramon Krikken, a principal analyst at Gartner Inc. Fortify Software partners with Hewett-Packard. IBM, meanwhile, has bolstered its Rational software business.
"There's generally tension between goals of development organization want to deliver on time and on budget and the security team who says we'll do a security assessment and if there's something wrong this will have to be fixed," Krikken said. "But there's somewhat of an overlap between software quality and software security because both of them deal with underlying flaws which cause the software to misbehave in some way."
Implementing a software security program gets even more complicated with some firms managing multiple development teams and outsourced development projects. Creating an organizational foundation for getting everybody on the same page and making the process not only effective but also efficient is important to success, Krikken said.
"If you put in place assessments at the end of the lifecycle you're not going to make any friends in the development team or the business side," he said.
Coverity and Armorize's integration plans bring Armorize's CodeSecure into Coverity's existing development and triage workflow platform. The integration could get development teams and security teams to collaborate more closely on projects, Sima said. "It's no longer a manual process of talking or discussions of what new things are coming out of dev," Sima said. "It will get pulled right into CodeSecure's interface."
The resulting integration will enable CodeSecure to connect to the Coverity server and pull in the ongoing development project data. The combined suite tracks the developer's workflow, identifying code changes while providing resolution management capabilities for security vulnerabilities.
The integrated platform is planned to be released by the end of the year. The two firms are also establishing a beta program for early adopters of the combined software.