Exclusive: CodeAssure 2.0 seeks out security holes in your software

Code-combing suite finds problems easily but lacks support for multiple languages

The regular release of software patches to protect applications from hackers suggests that safety from malicious attacks remains a difficult and elusive goal. Part of the problem is that security is not wired into software developers’ thinking the same way quality and usability are. Application security only emerged as a key issue once internal applications were exposed via the Web to all passers-by, including crackers and miscreants.

As a result, developers are playing catch up. Fortunately, an emerging class of tools helps them comb through old code and monitor new projects for programming constructs that allow a cracker to take control of the software.

Three startups provide enterprise-class tools of this kind: Secure Software, Fortify Software, and Ounce Labs, which declined to participate in a review. Other point products, such as Compuware’s DevPartner Security Checker, also specialize in subsets of this functionality.

I took a look at Secure Software’s CodeAssure Suite 2.0. The Suite consists of a Workbench, which performs the analysis; a Management Center, which tracks a project’s security strength; and the Integrator module, which ties CodeAssure to QA and test products. The suite analyzes large code bases, finds security issues, and generates detailed reports of its findings with user-selectable filters.

CodeAssure is designed to run frequently so developers can catch all infelicities right away. The management console makes it easy for project leads and senior managers to verify that this resolution is in fact occurring.

I found CodeAssure 2.0 top-notch at discovering problems, but not as fully featured as the Fortify Source Code Analysis suite. An aggressive schedule of releases, however, should close some of that gap

during the next six to nine months.


The heart of CodeAssure 2.0 is the Workbench, which takes the form of an Eclipse plug-in. If you don’t have Eclipse, the installer will load a copy of the IDE onto your disk and then set up the plug-in.

To analyze a code base, you simply create a new project, import the code, and click the menu tab for analysis. The Workbench uses a compiler front end to step through the source code, generates an internal representation of the program, and then scours that data for security holes.

CodeAssure did an outstanding job of finding possible sources of security problems — better than any package I’ve seen. When it finds a questionable construct, it categorizes it by severity, records its location, and places this information in a tabular format in an Eclipse window. From here a developer clicks on the error and goes directly to the offending line. A panel in the IDE’s upper right corner explains the problem and suggests a remedy.

You can configure this process to remove “false positives,” items known to be safe but that appear to the Workbench as security problems. Multiple runs of CodeAssure are stored and accessed individually, and a PDF report is generated with a single mouse click. The reports are elegant and clean and the Workbench is simple to use, although it doesn’t provide the means to compare results from two separate runs.

Part of the value of using packages such as CodeAssure is the education they provide developers. To this end, the product provides a detailed explanation of problems it catches and suggestions on how best to correct them.

I found CodeAssure’s suggestions less than completely helpful, however. Sometimes they were out of sync with the actual error; at other times, they used terminology likely to be unfamiliar to a programmer unschooled in security issues. For example, is the suggestion to use “canary style bounds checking” meaningful without specific training?

Otherwise, the Workbench was intuitive and provided excellent analysis of security holes, but it had limitations. The most conspicuous of these is its lack of language support. The prerelease of version 2.0 I examined had support only for Java and C -- despite documents contending that the product also supports C++. (Secure Software expects to support C++ in a release later this year.)

Another limitation is Workbench’s format: It’s available only as a plug-in to Eclipse. This environment is fine for Java developers, but it will be unfamiliar to users of Microsoft Visual Studio .Net.

Management Center

The CodeAssure Management Center is a dashboard that tracks the status and progress of projects. Its attractive display shows where programs stand in terms of the number and severity of issues and the remediation trends.

The dashboard also allows a manager to categorize projects, error types, and the nature of an application so reports correctly highlight the urgency and the sensitivity of a specific security issue. Metrics providing data on security policy compliance are also available.

The Management Console is accessed via a Web browser. Installation requires a DBMS (Oracle, IBM DB2, or Microsoft SQL Server) and an Apache Tomcat container. It’s a step that can be thorny, and it generally requires that Secure Software provide a technician to perform the installation and configuration.

This design (and the expense it entails) seems needless: The console is a defining example of an application that should use an embedded database because it is the only consumer of the data it generates.

Money matters

CodeAssure Suite 2.0 is superb at finding security problems, and it found many “minor” problems missed by other programs. These problems might appear minor at first, but they represent potential security or reliability issues. I was impressed.

Nevertheless, I must complain about the pricing, which starts at no less than $48,000 per year. That’s a hefty sum for covering 10 developers, the minimum number of seats that can be ordered.

CodeAssure needs to catch up with competitors that support C/C++, Java, SQL, and JSPs so it can track data that moves across software modules that use these languages. It also needs to provide plug-ins for Visual Studio .Net and Borland IDEs, and the documentation for both the Management Center and Workbench should be improved. With those pieces in place, CodeAssure will be a more well-rounded development tool.

InfoWorld Scorecard
Performance (10.0%)
Value (10.0%)
Accuracy (35.0%)
Configurability (20.0%)
Language support (10.0%)
Setup (15.0%)
Overall Score (100%)
CodeAssure Suite 2.0 8.0 6.0 10.0 8.0 7.0 7.0 8.3