Automate security audits for source code

The analysis engine is intended to run on a build server. It is designed to slip easily into make files or Ant build files. It runs at speeds comparable to a compiler. In view of the fact that it need be run only on files modified since the last security audit, this does not represent significant overhead.

Perfecting the Process

The Fortify Software Security Manager, which is part of the enterprise edition of the Fortify suite, tracks the security progress of a project. Using it, a manager monitors the number of defects by type and can compare the count with previous audit results. Managers can also change the severity of specific vulnerabilities, depending on the nature of the company's business processes, and then track the resolution of just those items. Fortify's software makes this management process straightforward and intuitive. New rule packs, which are regularly updated by Fortify as crackers find new ways to identify and exploit vulnerabilities, are also added through this management console.

I ran Fortify on C/C++ and Java code bases from open source projects and applications developed by me, and I found the analysis to be deep and comprehensive. As it will for almost any developer, Fortify has led me to change the way I write many routines, which ultimately is the whole idea: improving security by making programmers more aware of security vulnerabilities. To this end, Fortify plans to release plug-ins for Eclipse and Visual Studio .Net that enable developers to quickly verify their code before checking it in to the source control systems.

The suite did have some shortcomings, mostly in secondary areas. One serious problem was its inability to change projects. When I closed an existing project in the Workbench and opened another, the display included data from both projects, which makes for nonsensical displays in the best cases, incorrect actions in the worst. The company is aware of this bug.

In addition, the GUI is cumbersome in many instances -- buttons are placed in unconventional places, they lead to unexpected features, and the help functions are frustratingly insufficient -- all of which make the product unnecessarily difficult to use. The other issue is pricing, which starts at $56,400 per CPU. (A team edition that lacks the manager console and the ability to write custom rules starts at $30,000.) Sure, closing a security loophole can be a nearly priceless improvement, but Fortify's price is certain to deter adoption at many sites.

Checking software for security vulnerabilities is something that needs to be done regularly by knowledgeable developers. Unfortunately, the necessary expertise is hard to come by. Many shops publish insecure code because they don't have the qualifications to perform good code reviews or the tools that can analyze their code deeply. Fortify's Source Code Analysis Suite provides a comprehensive solution that intelligently analyzes code bases and generates detailed, usable reports of vulnerabilities.