Tools that help software developers write secure code are notably under-represented in today's corporate arsenals. The reason
is that checking source code for security weaknesses is a difficult task, given the number of potential threats and the almost
endless ways to code programs.
Fortify Source Code Analysis Suite 3.0
Fortify Software, fortifysoftware.com
|
 Very Good 8.4 |
|
| criteria |
score |
weight |
| Accuracy |
9 |
35% |
 |
| Configurability |
9 |
20% |
|
| Setup |
8 |
15% |
|
| Language support |
9 |
10% |
|
| Performance |
7 |
10% |
|
| Value |
6 |
10% |
|
|
|
Cost:
Enterprise Edition: $56,400 per year or obtain a perpetual license for $80,000, plus $14,400 per year for support and rules
updates. These prices are per CPU on the build server.
Platforms:
Windows, Solaris, Red Hat Linux, Mac OS
Bottom Line:
The Fortify Source Code Analysis Suite is a comprehensive and configurable, if pricey, package that automates security audits
of C, C++, C#, Java, JSP, and SQL code. Its thorough analysis and detailed recommendations make remedial action quick and
effective.
|
|
About our Reviews and Scoring Methodology
|
|
|
|
Enterprises addressing these security threats at the source code level typically rely on code reviews, security audits, and
tools that perform syntactical searches of code bases. These approaches tend to be slow, expensive, and insufficiently comprehensive.
Fortify Software's Source Code Analysis Suite 3.0, which understands code and automates security analysis during the development
cycle, promises welcome relief.
Fortify's Code Analysis Suite consists of two principal components: the Fortify Audit Workbench, which drives the source code
analysis engine, and the Fortify Software Security Manager, which enables managers to track project security and modify the
kinds of vulnerabilities that Fortify will detect.
The Workbench's source code analysis engine does all the heavy lifting. It's a Java application that reads through source
code looking for specific vulnerabilities. It is guided by a set of rule packs that identify what specific items to look for.
Rule packs for C/C++, C#, Java, JSP, and SQL come with the product.
Source In, Security Out
Fortify's analysis is done at a semantic, rather than syntactical, level. This means that the product understands what the
code is doing. For example, it can map out data flows and recognize that untested, user-entered data -- always a potential
threat -- has been passed to a routine. The routine might well be entirely correct in its functioning but unaware that the
data passed to it has been corrupted in a way designed to unhinge the application. Because the Fortify engine understands
the code, it can monitor execution and data flows through multiple modules and identify the points where unsafe data is touched
without first being verified. Few solutions today can find intermodule security problems of this kind.
Fortify generates a large XML file containing data on all the vulnerabilities it finds. This file is then analyzed by the
Workbench, which displays the information in a user-friendly format. Unless programmers are up-to-date on the nature of specific
coding vulnerabilities, they are likely to be surprised by what Fortify flags. The product catches not only buffer over-runs
and opportunities for SQL injection, but also more-esoteric issues.
For example, one form of attack consists of forcing an application to open so many files that it fails in a predictable manner.
By hacking the application just so, a hacker can take over the code when this failure occurs. Hence, Fortify monitors file
opening and closing, and suggests that files should be closed as soon as possible (rather than left open until the program
closes them at exit) and that the return value of the close should be monitored.
Because the number of generated warnings can be rather large, the Audit Workbench automatically assigns them severity ratings
and enables the creation of filters, so that only items of interest are displayed. The display not only lists the vulnerabilities
and the explanations, but also takes developers directly to the offending line of code.
The analysis engine is intended to run on a build server. It is designed to slip easily into make files or Ant build files.
It runs at speeds comparable to a compiler. In view of the fact that it need be run only on files modified since the last
security audit, this does not represent significant overhead.
Perfecting the Process
The Fortify Software Security Manager, which is part of the enterprise edition of the Fortify suite, tracks the security progress
of a project. Using it, a manager monitors the number of defects by type and can compare the count with previous audit results.
Managers can also change the severity of specific vulnerabilities, depending on the nature of the company's business processes,
and then track the resolution of just those items. Fortify's software makes this management process straightforward and intuitive.
New rule packs, which are regularly updated by Fortify as crackers find new ways to identify and exploit vulnerabilities,
are also added through this management console.
I ran Fortify on C/C++ and Java code bases from open source projects and applications developed by me, and I found the analysis
to be deep and comprehensive. As it will for almost any developer, Fortify has led me to change the way I write many routines,
which ultimately is the whole idea: improving security by making programmers more aware of security vulnerabilities. To this
end, Fortify plans to release plug-ins for Eclipse and Visual Studio .Net that enable developers to quickly verify their code
before checking it in to the source control systems.
The suite did have some shortcomings, mostly in secondary areas. One serious problem was its inability to change projects.
When I closed an existing project in the Workbench and opened another, the display included data from both projects, which
makes for nonsensical displays in the best cases, incorrect actions in the worst. The company is aware of this bug.
In addition, the GUI is cumbersome in many instances -- buttons are placed in unconventional places, they lead to unexpected
features, and the help functions are frustratingly insufficient -- all of which make the product unnecessarily difficult to
use. The other issue is pricing, which starts at $56,400 per CPU. (A team edition that lacks the manager console and the ability
to write custom rules starts at $30,000.) Sure, closing a security loophole can be a nearly priceless improvement, but Fortify's
price is certain to deter adoption at many sites.
Checking software for security vulnerabilities is something that needs to be done regularly by knowledgeable developers. Unfortunately,
the necessary expertise is hard to come by. Many shops publish insecure code because they don't have the qualifications to
perform good code reviews or the tools that can analyze their code deeply. Fortify's Source Code Analysis Suite provides a
comprehensive solution that intelligently analyzes code bases and generates detailed, usable reports of vulnerabilities.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
