Fortify scours code for security vulnerabilities

Fortify offers a code-level line of defense against those who would attack enterprise Web applications to wreak havoc or reap ill-gotten gains

By Galen Gruman
May 15, 2006

Talkback

E-mail

Printer Friendly

Reprints

The old adage that an ounce of prevention is better than a pound of cure sums up Fortify’s approach to securing homegrown enterprise applications, which are frequently enticing targets for hackers and their malicious exploits. “It’s these front-door apps that are the front-door access to the underlying data,” says Fortify CEO John M. Jack.

Return to special report

DOWNLOAD PDF

Click here to download InfoWorld's special report 15 tech startups to watch

The standard approach to securing enterprise applications is to look for attack signatures and then block them. Fortify’s approach is to eliminate the vulnerabilities in the first place, so even if attackers breach network defenses they can’t exploit the applications. “We look at the root cause,” Jack says.

A big reason for the holes in homegrown software is lack of experience. “Most of the applications were written by developers not trained on security. They expect well-behaved users,” Jack says. But now that the enterprise is so connected to the outside world, that expectation is unsupportable.

To help developers eliminate security holes, Fortify offers tools that work with Java, C++, C, and Transact-SQL on Windows and Linux platforms. Essentially an all-purpose plug-in to Borland, Eclipse Foundation, and Microsoft development environments, the Fortify Source Code Analysis tool scans the source code on the build server for vulnerabilities, such as a buffer overflow, that a worm might take advantage of. “There are over a million worms that can exploit that,” Jack says.

Among the other 100 or so vulnerabilities that Fortify looks for are SQL injections and cross-site scripting. The tool identifies the vulnerability so developers can close them while the coding effort is in progress. “We have total knowledge of the app and the context,” Jack says, which he believes results in better security than traditional post-deployment intrusion detection.

For more conventional intrusion prevention, Fortify also provides the Application Defense tool to monitor application attacks. Its primary use is to protect existing applications for which you don’t have the source code or that you have not been able to recode with the help of the Fortify Source Code Analysis tool.

Click for larger view.

Galen Gruman is contributing editor at InfoWorld.

Add to:

Digg

Talkback:

comment Post a Comment

MOST COMMENTS

Can you really live without Microsoft Office?

Why San Francisco's network admin went rogue

Mac (in)security: How to secure Macs in business

The birth of the InfoWorld WorldBooks

>> Talkback: Have your say

Remote Access: Maintain Security and Decrease the Burden on IT
Join this interactive webcast to discover how IT Managers can control access rights, end-user security settings and end-point authorization. Sponsor: Citrix(R) GoToMyPC(R) Corporate

» Click here to view this Webcast

Zombie PCs Are Attacking Your LAN
A recent study showed that malware-infected zombie PCs are now a bigger threat to ISPs and Web infrastructure than DoS attacks. As this brand new IT Strategy Guide explains, an increased use of peer-to-peer techniques by the attackers has made it harder to fight back. Download now, compliments of Verio:

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

Effective Security with a Continuous Approach to ISO 27001 Compliance - The Tripwire Enterprise solution provides organizations with powerful configuration control through its configuration assessment...
Help Simplify Virtualization - One common challenge IT organizations face is server sprawl, which can require large amounts of facilities and support resources...
Solution for Open Virtualization Provides Server Consolidation - Using virtualization to decrease the number of servers presents cost savings opportunities. Organizations that want to take...
A Guide to Rich Internet Application (RIA) Security - Read about Forrester's findings on RIA security included in a Forrester Research paper valued at $775 titled "Securing Rich...
Disaster Recovery in Minutes - This paper describes a complete disk-based system recovery solution for Microsoft Windows based servers, desktops, and laptops...
Protecting Microsoft(R) Applications - Microsoft Exchange, SQL, Active Directory, and SharePoint have quickly risen to mission-critical status in many companies...

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

•

Application development

•

•

•

•

•

•

•

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

Fortify scours code for security vulnerabilities

MOST COMMENTS

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Video

Podcasts

InfoWorld Blogs

Columnists

Find Products and Companies

Resource Center

Sponsored Technology Links

Sponsored Technology Links
Xerox - Experience the colorful side of business at www.frugalcolor.com IBM - Webcast: Take control of your content- leverage MOSS AT&T - Thinking about IMS AT&T - Factors to consider when comparing DSL or Cable AT&T - Going mobile with today's technology AT&T - What to expect from a Technology Assessment. Polycom - Telepresence For The Enterprise GoToMyPC - Research Brief: Providing Secure and Cost-Effective Remote Access HP/Intel - If you don't have enough I/O, your VMs aren't going to go. AppAssure - Keeping the E-Mail Flowing Tripwire - Secure your virtual and physical environments with the same software. CA - Efficient - Flexible - Compliant PGP - Is Your Data Safe? Novell, IBM, and Intel - Solution for Open Virtualization Provides Server Consolidation Curl - IT Guide: Rich Internet Application (RIA) Security Symantec - Whitepaper: Secure, recover, and archive critical information Microsoft - {Open Source} Heroes Happen Here Symantec - Whitepaper: Protecting Microsoft(R) Applications Riverbed - Five Ugly Truths about WAFS and Caching InterSystems - Use Ensemble - quickly create composite applications. Cirba - Advanced Workload Analysis Techniques Rackspace - Go Green Without Sacrificing Server Performance CA - Manage your IT more effectively. AT&T - Measuring mobile productivity		CA - Plan IT better, Manage IT better. AT&T - Refine your company's plan for a Business Disruption Event Cirba - Consolidating Workloads onto Mainframes AT&T - Class of Service: Myths and Misconceptions AT&T - Enhancing security through Quantum Cryptography Riverbed - Wide Area Data Services Microsoft - Microsoft Forefront makes defending your systems easier. Learn how. HP - Explore the interactive whitepaper: Rightsizing Blades for the mid-market. Symantec - Webcast: Beyond AntiVirus AMD - Renowned Engineering Institution Chooses AMD Processor-Based Servers AMD - Watch this flash demo of the Quad-Core AMD Opteron Processor EMC - EMC and VMware help you build your virtualized infrastructure. AMD - HP and Oracle deploy unbreakable computing infrastructure Qwest - Learn how Qwest voice and data solutions can save you time. MKS - The Power of UNIX/Linux on Windows with MKS Toolkit Vision Solutions - Is your smaller organization ready for High Availability? Vision Solutions - Is system maintenance doing more harm than good? HP - NEW HP LaserJet P4014n printer Starting at $699 after $100 IS. HP - HP LaserJet M3035 MFP series Starting at $1,599. SHOP NOW HP - Speed, agility, flexibility - The HP BladeSystem c-Class. Nokia - Restore Your Mobile Devices With One Click Oracle - The Power of Two with SOA and BPM

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS CAREERS	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist