Published: 01 May 2004
No software company in the world sets out to produce bug-ridden code. And no application is perfect, especially one with millions of lines of code. But the goal isn't perfection--well, maybe that's the goal, but no prudent security professional can expect to attain it.
The Research Triangle Institute estimated in 2002 that flawed software costs as much as $59 billion annually in lost productivity. Add the billions more spent to guard against hackers and malware, and you're talking about serious money.
Complicating the quality problem are custom apps from in-house developers and the code developed by inexpensive, offshore contractors. While custom code can be tailored, it's prone to the same errors as faulty commercial software.
Producing better software is the obvious cure, but not an easy task. Software vendors and in-house developers are trying to reform their development processes. But, there will be flaws as long as there are humans tapping the keyboard, and businesses care more about faster and cheaper software than quality and security.
Recognizing the need to improve quality, a spate of new automated code review solutions are gaining attention. They can scan code and perform binary analysis on apps written in widely used languages--such as C, C++ and Java--looking for common mistakes and runtime errors.
A few source code analysis tools have been around for a while. Cigital's ITS4 and Secure Software's RATS provide rudimentary static analysis of code. The tools are free, and both companies offer competent consulting services.
Reasoning, a quality assessment firm, is expanding its services to offer reviews for applications written in C, C++ and Java. Fortify and HB Gary are bringing similar tools to market.
More recently, Ounce Labs has developed Prexis, an analyzer that combines the source code with secure coding practices. It adds knowledge base, workflow and reporting to the development process. Its "V-Density" measurement is intended to calculate the complexity of the software--something sorely needed--to allow for prioritization of activities across applications.
@stake continues to develop its SmartRisk Analyzer, which combines source code analysis with binary analysis. It looks at the assembly language and builds out all possible code paths, seeking out purposely placed backdoors, problems introduced by the compiler and errors in shared libraries.
Parasoft has a suite of Automated Error Prevention tools for testing and analyzing code.
Sanctum and SPI Dynamics have consistently moved backwards in the software lifecycle by integrating their interactive testing with development environments. White Hat Security, Foundstone and TruSecure offer human-processed code reviews.
These tools will reduce, not eliminate, the flaws in code--particularly the dreaded buffer overflows. The real challenge for code developers is figuring out how much to spend to attain better code without spending too much.
About the author:
Pete Lindstrom, CISSP, is research director at Spire Security.