Chess admitted that companies falling under the PCI DSS mandate may be able to meet initial audits of Sections 3 and 6 via the use of freeware open source code-scanning tools, but he contends that large enterprises, and eventually smaller firms, will discover they need industrial-strength products such as those offered by Fortify and its rivals if they want to continue to remain compliant in the long term.
The PCI Council will likely make the terms of the regulation more stringent in the coming years, driving the uptake of more advanced code testing automation products, he said.
At least one Fortify customer said that in addition to meeting the growing range of industry regulations pushing applications security and smarter development, clients are asking the companies what they are doing in terms of improving their source code analysis.
That trend is particularly evident to companies such as NetDeposit, which markets outsourced payment processing technologies and services to banks and other financial services companies, said William Wong, chief technology officer of the company.
"Proving that we have secure code in our products is one of the fundamental requirements in this business. Financial services companies have a long due-diligence process, and as part of that they are asking us to prove to them that our products are secure on a source-code level," Wong said. "In the past we've relied on standard development techniques and controls to engineer and verify security, but today we need tools to both drive remaining vulnerabilities out of our products and demonstrate applications security to prospective customers."
Some industry analysts remain uncertain if PCI will prove to be the business driver that source code analysis vendors have predicted, but even those who remain skeptical about the regulation's impact agree the regulation is contributing to growth in the segment.
"In the long run, I'm not sure how much business PCI will generate, but there's no question that the combination of attacks and data security regulations is raising awareness of applications security in general, including source code analysis," said Dr. Chenxi Wang, analyst with Forrester Research. "Compared to just two years ago, the market for these tools has grown to the extent that it is outpacing growth of the broader IT security industry."
Wang said the jury is still out as to whether PCI auditors will push companies to begin utilizing source code analyzers, as the regulation also allows for affected companies to use third-party testing services and Web applications firewalls to meet some requirements.
However, the analyst said source code analysis tools themselves may become a popular format for proving Web applications security efforts to assessors, if those auditors decide to interpret the PCI DSS standard as such.
"There's still a lot of debate what this all means in terms of review, and whether use of a source code analysis tool would qualify as a review in the minds of auditors," Chang said. "If that is the case, it could provide an ever larger opportunity for these vendors in the long term."