The regular release of software patches to protect applications from hackers suggests that safety from malicious attacks remains
a difficult and elusive goal. Part of the problem is that security is not wired into software developers’ thinking the same
way quality and usability are. Application security only emerged as a key issue once internal applications were exposed via
the Web to all passers-by, including crackers and miscreants.
CodeAssure Suite 2.0
Secure Software, securesoftware.com
|
 Very Good 8.3 |
|
| criteria |
score |
weight |
| Accuracy |
10 |
35% |
 |
| Configurability |
8 |
20% |
|
| Setup |
7 |
15% |
|
| Language support |
7 |
10% |
|
| Performance |
8 |
10% |
|
| Value |
6 |
10% |
|
|
|
Cost:
Yearly subscription; $48,000 for 10-user pack
Platforms:
Windows, Linux; Workbench is an Eclipse plug-in
Bottom Line:
CodeAssure Suite 2.0 is an excellent static source-code analyzer. Its accuracy is stellar, but it is limited to Java and
C code, and it ships exclusively as a plug-in to Eclipse. Both limitations keep it from realizing its full potential.
|
|
About our Reviews and Scoring Methodology
|
|
|
|
As a result, developers are playing catch up. Fortunately, an emerging class of tools helps them comb through old code and
monitor new projects for programming constructs that allow a cracker to take control of the software.
Three startups provide enterprise-class tools of this kind: Secure Software, Fortify Software, and Ounce Labs, which declined to participate in a review. Other point products, such as Compuware’s DevPartner Security
Checker, also specialize in subsets of this functionality.
I took a look at Secure Software’s CodeAssure Suite 2.0. The Suite consists of a Workbench, which performs the analysis; a
Management Center, which tracks a project’s security strength; and the Integrator module, which ties CodeAssure to QA and
test products. The suite analyzes large code bases, finds security issues, and generates detailed reports of its findings
with user-selectable filters.
CodeAssure is designed to run frequently so developers can catch all infelicities right away. The management console makes
it easy for project leads and senior managers to verify that this resolution is in fact occurring.
I found CodeAssure 2.0 top-notch at discovering problems, but not as fully featured as the Fortify Source Code Analysis suite. An aggressive schedule of releases, however, should close some of that gap
during the next six to nine months.
Workbench
The heart of CodeAssure 2.0 is the Workbench, which takes the form of an Eclipse plug-in. If you don’t have Eclipse, the installer will load a copy of the IDE onto your disk and then set up the plug-in.
To analyze a code base, you simply create a new project, import the code, and click the menu tab for analysis. The Workbench
uses a compiler front end to step through the source code, generates an internal representation of the program, and then scours
that data for security holes.
CodeAssure did an outstanding job of finding possible sources of security problems — better than any package I’ve seen. When
it finds a questionable construct, it categorizes it by severity, records its location, and places this information in a tabular
format in an Eclipse window. From here a developer clicks on the error and goes directly to the offending line. A panel in
the IDE’s upper right corner explains the problem and suggests a remedy.
You can configure this process to remove “false positives,” items known to be safe but that appear to the Workbench as security
problems. Multiple runs of CodeAssure are stored and accessed individually, and a PDF report is generated with a single mouse
click. The reports are elegant and clean and the Workbench is simple to use, although it doesn’t provide the means to compare
results from two separate runs.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
