Automate security audits for source code

Tools that help software developers write secure code are notably under-represented in today's corporate arsenals. The reason is that checking source code for security weaknesses is a difficult task, given the number of potential threats and the almost endless ways to code programs. 

Enterprises addressing these security threats at the source code level typically rely on code reviews, security audits, and tools that perform syntactical searches of code bases. These approaches tend to be slow, expensive, and insufficiently comprehensive. Fortify Software's Source Code Analysis Suite 3.0, which understands code and automates security analysis during the development cycle, promises welcome relief. 

Fortify's Code Analysis Suite consists of two principal components: the Fortify Audit Workbench, which drives the source code analysis engine, and the Fortify Software Security Manager, which enables managers to track project security and modify the kinds of vulnerabilities that Fortify will detect.

The Workbench's source code analysis engine does all the heavy lifting. It's a Java application that reads through source code looking for specific vulnerabilities. It is guided by a set of rule packs that identify what specific items to look for. Rule packs for C/C++, C#, Java, JSP, and SQL come with the product.

Source In, Security Out

Fortify's analysis is done at a semantic, rather than syntactical, level. This means that the product understands what the code is doing. For example, it can map out data flows and recognize that untested, user-entered data -- always a potential threat -- has been passed to a routine. The routine might well be entirely correct in its functioning but unaware that the data passed to it has been corrupted in a way designed to unhinge the application. Because the Fortify engine understands the code, it can monitor execution and data flows through multiple modules and identify the points where unsafe data is touched without first being verified. Few solutions today can find intermodule security problems of this kind.

Fortify generates a large XML file containing data on all the vulnerabilities it finds. This file is then analyzed by the Workbench, which displays the information in a user-friendly format. Unless programmers are up-to-date on the nature of specific coding vulnerabilities, they are likely to be surprised by what Fortify flags. The product catches not only buffer over-runs and opportunities for SQL injection, but also more-esoteric issues.

For example, one form of attack consists of forcing an application to open so many files that it fails in a predictable manner. By hacking the application just so, a hacker can take over the code when this failure occurs. Hence, Fortify monitors file opening and closing, and suggests that files should be closed as soon as possible (rather than left open until the program closes them at exit) and that the return value of the close should be monitored.

Because the number of generated warnings can be rather large, the Audit Workbench automatically assigns them severity ratings and enables the creation of filters, so that only items of interest are displayed. The display not only lists the vulnerabilities and the explanations, but also takes developers directly to the offending line of code.