Exclusive: CodeAssure 2.0 seeks out security holes in your software
Code-combing suite finds problems easily but lacks support for multiple languages
The regular release of software patches to protect applications from hackers suggests that safety from malicious attacks remains a difficult and elusive goal. Part of the problem is that security is not wired into software developers’ thinking the same way quality and usability are. Application security only emerged as a key issue once internal applications were exposed via the Web to all passers-by, including crackers and miscreants.
As a result, developers are playing catch up. Fortunately, an emerging class of tools helps them comb through old code and monitor new projects for programming constructs that allow a cracker to take control of the software.
Three startups provide enterprise-class tools of this kind: Secure Software, Fortify Software, and Ounce Labs, which declined to participate in a review. Other point products, such as Compuware’s DevPartner Security Checker, also specialize in subsets of this functionality.
I took a look at Secure Software’s CodeAssure Suite 2.0. The Suite consists of a Workbench, which performs the analysis; a Management Center, which tracks a project’s security strength; and the Integrator module, which ties CodeAssure to QA and test products. The suite analyzes large code bases, finds security issues, and generates detailed reports of its findings with user-selectable filters.
CodeAssure is designed to run frequently so developers can catch all infelicities right away. The management console makes it easy for project leads and senior managers to verify that this resolution is in fact occurring.
I found CodeAssure 2.0 top-notch at discovering problems, but not as fully featured as the Fortify Source Code Analysis suite. An aggressive schedule of releases, however, should close some of that gap
during the next six to nine months.
The heart of CodeAssure 2.0 is the Workbench, which takes the form of an Eclipse plug-in. If you don’t have Eclipse, the installer will load a copy of the IDE onto your disk and then set up the plug-in.
To analyze a code base, you simply create a new project, import the code, and click the menu tab for analysis. The Workbench uses a compiler front end to step through the source code, generates an internal representation of the program, and then scours that data for security holes.
CodeAssure did an outstanding job of finding possible sources of security problems — better than any package I’ve seen. When it finds a questionable construct, it categorizes it by severity, records its location, and places this information in a tabular format in an Eclipse window. From here a developer clicks on the error and goes directly to the offending line. A panel in the IDE’s upper right corner explains the problem and suggests a remedy.
You can configure this process to remove “false positives,” items known to be safe but that appear to the Workbench as security problems. Multiple runs of CodeAssure are stored and accessed individually, and a PDF report is generated with a single mouse click. The reports are elegant and clean and the Workbench is simple to use, although it doesn’t provide the means to compare results from two separate runs.