Source code testers expect PCI windfall

With two elements of the PCI data protection regulation that address applications security set to reach their deadlines during the first half of 2008, source code analysis vendors say they are priming for rapid growth as retailers and other companies begin making investments to meet the terms of the guideline.

Sections 3 and 6 of the PCI Data Security Standard (DSS), which address the protection and storage of sensitive data, and the development and maintenance of secure transactional applications, respectively, will be significant drivers of new business, the vendors claim, as many firms that are obliged to fall in line with the regulation haven't previously dabbled in source code testing.

The PCI DSS standard was created by payment card industry players, including all the world's largest credit card providers, to force retailers and other processors of their customer accounts to improve security of the sensitive customer financial information they store.

"The credit card companies driving these standards are telling their partners that they need to start looking at code quality in their applications, and that's having a truly global impact in terms of requiring anyone who handles these records to adhere, no matter where they are," said Claudia Dent, senior vice president of marketing at Ounce Labs, a maker of software risk analysis tools.

"PCI is the first standard that goes into real specifics about how applications should handle data, and in time we believe other regulations will start to catch up as well," she said. "Some financial services firms and government agencies have been doing analysis, but this regulation is going to push a lot of other companies beyond what they've been doing around perimeter security and into testing security at an applications level."

Specifically, the elements of PCI DSS Section 3 that require companies to assure secure processes in the manner that applications are handling and manipulating sensitive data, and portions of Section 6 that relate to proving that developers are following secure coding practices will drive new business, vendor representatives said.

Customers are already telling code analysis tool providers they are frightened by the financial implications of failing an audit of those pieces of the PCI standard, and concerned as to what level they will be required to prove compliance with the measure, said Brian Chess, founder and chief scientist of Fortify, which markets secure applications development technologies.

"Just because the deadline is out there, that doesn't mean everyone will invest in tools such as ours. But the truth is that enterprise security groups are using PCI as a lever to do some things around applications security that they've probably known they should do for a long time," said Chess.

"Not getting attacked has been a tough way to defend the investment and win the budget to do this work from business leaders," he said. "But with PCI, you have a powerful body handing down a requirement, and the message of failing an audit seems to resonate with most CEOs."