System checks vulnerability of third-party code
Application security specialist Fortify Software has come out with a system that automates software assurance governance and will help check for code flaws in business applications sourced from ISVs and outsourcers.
“Today’s environment forces security professionals to work with development, legal and executive teams making the process of securing applications complex,” the company said to introduce an upgraded version of a product known as Fortify 360.
Barmak Meftah, senior VP for Fortify said of Fortify 360, “It provides the software security and risk management teams with everything they should need to express, automate, manage and enforce their security policy.”
The line is that automation is the only way to ensure the efficiency and success of any security initiative and prevent cyber-criminals hacking in at the business application level.
He told us, “It also addresses the difficulties organisations face in understanding the impact on the security policy of applications used internally like a commercial, off-the shelf software package from an ISV, or those that are supplied by a service provider or systems integrator.”
The product is an integrated dynamic and static analysis system designed to contain if not remove and prevent vulnerabilities in business applications.
Meftah explained the latest enhancements had been developed after plenty of feedback from chief security officers at some of its 500-odd accounts.
The latest version comes with application risk templates that help improve governance by allowing security teams to systematically achieve visibility across all vulnerable software, and so optimise their software security assurance operations.
The addition of a web-based SSA Governance module to Fortify 360 allows enterprises to create a detailed application inventory of all enterprise software, assign risk profiles to all applications and then generate appropriate security policies tailored to each risk profile.
Meftah said a new on-demand audit, triage and fix service will also become available today, known as Fortify Vendor Security Management.
An ISV can choose to upload binary of any commercial software to the on-demand system so that Fortify can assess the code with static and dynamic analysis, remediate any issues and report the healthcheck findings back to the software provider, or prospective customer.
Third-party vendors are not security experts, Fortify said. Software distributed by major ISVs produced 5,500 known vulnerabilities in 2008, the company has estimated.
“Application security can no longer be overlooked in procurement. Contracts should always specify that security assurance will be provided as a condition for accepting applications,” the company said.