Source code testers expect PCI windfall

Companies' need to comply with new standards for storing and protecting sensitive data will be a significant driver of business for source code analysis vendors

With two elements of the PCI data protection regulation that address applications security set to reach their deadlines during the first half of 2008, source code analysis vendors say they are priming for rapid growth as retailers and other companies begin making investments to meet the terms of the guideline.

Sections 3 and 6 of the PCI Data Security Standard (DSS), which address the protection and storage of sensitive data, and the development and maintenance of secure transactional applications, respectively, will be significant drivers of new business, the vendors claim, as many firms that are obliged to fall in line with the regulation haven't previously dabbled in source code testing.

The PCI DSS standard was created by payment card industry players, including all the world's largest credit card providers, to force retailers and other processors of their customer accounts to improve security of the sensitive customer financial information they store.

"The credit card companies driving these standards are telling their partners that they need to start looking at code quality in their applications, and that's having a truly global impact in terms of requiring anyone who handles these records to adhere, no matter where they are," said Claudia Dent, senior vice president of marketing at Ounce Labs, a maker of software risk analysis tools.

"PCI is the first standard that goes into real specifics about how applications should handle data, and in time we believe other regulations will start to catch up as well," she said. "Some financial services firms and government agencies have been doing analysis, but this regulation is going to push a lot of other companies beyond what they've been doing around perimeter security and into testing security at an applications level."

Specifically, the elements of PCI DSS Section 3 that require companies to assure secure processes in the manner that applications are handling and manipulating sensitive data, and portions of Section 6 that relate to proving that developers are following secure coding practices will drive new business, vendor representatives said.

Customers are already telling code analysis tool providers they are frightened by the financial implications of failing an audit of those pieces of the PCI standard, and concerned as to what level they will be required to prove compliance with the measure, said Brian Chess, founder and chief scientist of Fortify, which markets secure applications development technologies.

"Just because the deadline is out there, that doesn't mean everyone will invest in tools such as ours. But the truth is that enterprise security groups are using PCI as a lever to do some things around applications security that they've probably known they should do for a long time," said Chess.

"Not getting attacked has been a tough way to defend the investment and win the budget to do this work from business leaders," he said. "But with PCI, you have a powerful body handing down a requirement, and the message of failing an audit seems to resonate with most CEOs."

Chess admitted that companies falling under the PCI DSS mandate may be able to meet initial audits of Sections 3 and 6 via the use of freeware open source code-scanning tools, but he contends that large enterprises, and eventually smaller firms, will discover they need industrial-strength products such as those offered by Fortify and its rivals if they want to continue to remain compliant in the long term.

The PCI Council will likely make the terms of the regulation more stringent in the coming years, driving the uptake of more advanced code testing automation products, he said.

At least one Fortify customer said that in addition to meeting the growing range of industry regulations pushing applications security and smarter development, clients are asking the companies what they are doing in terms of improving their source code analysis.

That trend is particularly evident to companies such as NetDeposit, which markets outsourced payment processing technologies and services to banks and other financial services companies, said William Wong, chief technology officer of the company.

"Proving that we have secure code in our products is one of the fundamental requirements in this business. Financial services companies have a long due-diligence process, and as part of that they are asking us to prove to them that our products are secure on a source-code level," Wong said. "In the past we've relied on standard development techniques and controls to engineer and verify security, but today we need tools to both drive remaining vulnerabilities out of our products and demonstrate applications security to prospective customers."

Some industry analysts remain uncertain if PCI will prove to be the business driver that source code analysis vendors have predicted, but even those who remain skeptical about the regulation's impact agree the regulation is contributing to growth in the segment.

"In the long run, I'm not sure how much business PCI will generate, but there's no question that the combination of attacks and data security regulations is raising awareness of applications security in general, including source code analysis," said Dr. Chenxi Wang, analyst with Forrester Research. "Compared to just two years ago, the market for these tools has grown to the extent that it is outpacing growth of the broader IT security industry."

Wang said the jury is still out as to whether PCI auditors will push companies to begin utilizing source code analyzers, as the regulation also allows for affected companies to use third-party testing services and Web applications firewalls to meet some requirements.

However, the analyst said source code analysis tools themselves may become a popular format for proving Web applications security efforts to assessors, if those auditors decide to interpret the PCI DSS standard as such.

"There's still a lot of debate what this all means in terms of review, and whether use of a source code analysis tool would qualify as a review in the minds of auditors," Chang said. "If that is the case, it could provide an ever larger opportunity for these vendors in the long term."