It's no coincidence that the company announced its backing of the BSA concept simultaneous to the release of its new Fortify 360 product line, which is more expansive than the company's previous products in terms of its reach across various stages of applications development.
However, the product was tailored to reflect emerging demands from the firm's customers, some of whom are already mature enough in their development operations to embrace the BSA process, Fortify executives said.
Officials with at least one of the company's customers, online stock trading provider Scottrade, said that they are moving in the direction of BSA, even if they have yet to adopt that nomenclature for their work.
Scottrade and its rivals, including eTrade and other online stock sites, have been among those businesses who have publicly announced significant financial write-offs driven by applications-level attacks on their trading systems.
The key idea is approaching applications security as a process, rather than on a more piecemeal basis, as has been common practice for many firms up until now, said Grant Bourzikas, director of information security at Scottrade.
"To really address the security problem, you have to fix your code; intrusion prevention, Web applications firewalls, and a lot of other security technologies don't address the root cause, which is poor code left vulnerable that forces people to write signatures to protect at the network the level," Bourzikas said. "Of course we use all those products, and we have a traditional layered security approach, but by better securing our code and having this two-pronged effect, we can protect ourselves and our customers a lot better."
Whether or not the market will wrap its arms around the phrase business software assurance or merely view the process as part of a common SDLC (secure development lifecycle) program, the notion of continuous code and applications scanning is one that will continue to catch on with more companies, the executive said.
Yet, as important as any technology is the cultural change that must be affected among developers if the strategy is to succeed, said Bourzikas.
"Tools like this can help with SDLC, but you also have to consider the awareness issue," he said. "People have to better understand all the risks, because no one goes out and tries to write code that is insecure by default, they've been told to write something that works and they meet those requirements. We're hoping to teach our developers on what they need to protect, so in that sense, education is every bit as important."