Software // Enterprise Applications
11:30 AM
Connect Directly

Tools Help Squash Bugs

Security features in software-testing products can highlight vulnerable areas of already-developed code

Even as the front end of application development becomes more automated, a challenge remains on the back end of the process, where the code undergoes testing.

Testing is still often a manual process, one that's done only after the coding is completed and if there's enough time for it. Yet the expense of projects is reduced when bugs and errors are caught early. "Everyone recognizes that testing as early in the development life cycle as possible results in savings," even if they don't do it, says Paul Zorfass, an IDC software-development analyst.

A big area of concern for application project managers is security, and several specialized products have come on to the market to examine code for security holes. Agitar Software's Agitator, Fortify Software's Application Risk Analyzer, LogicLibrary's LogicScan, and Parasoft's JTest and C++Test all have new security features that can highlight vulnerable areas of already-developed code.

At Financial Engines Inc., an administrator of corporate 401(k) plans, it's essential that the company bring new services online as fast as possible to give its customers' employees choices in their retirement plans. What's also essential is that those applications contain no back doors or other exposures that might admit hackers, says Garry Hallee, executive VP of technology. "Our reputation as a 401(k) adviser would be greatly diminished if people thought we were unable to keep our customer data secure," he says.

The human eye isn't as good as an automated tool, Hallee says.

The human eye isn't as good as an automated tool, Hallee says.
At the end of each day's coding, the development team creates a new build--or composite assembly of source code--of a project, even though it remains a work in progress. Then Fortify Software's Application Risk Analyzer is run against it. The scan detects problems as they occur, rather than finding them in a security review at the end of project--or worse, in an outside security audit a year later, Hallee says.

Financial Engines' applications amount to 2 million lines of source code. No matter how hard the human eye tries to close all exposures, it's not as good as an automated tool, Hallee says. "We've done a lot to educate the team, but they can't do as comprehensive an analysis" as an automated tool, he says. "We find problems a lot earlier." And finding problems earlier is the goal. "It's our job to safeguard people's data. That's our whole business. We can't afford to have a security vulnerability," he says.

Jayson Minard, CIO of Abebooks Inc., a $130 million-a-year online used-book seller and supplier to Inc., found a sizable code problem in a project that was thought to be close to completion. When the application was run through Agitar Software's Agitator, an exception appeared that said one of the rules behind the app's currency-conversion engine was being violated. That rule said that a value in one country's currency, such as the British pound, could not be equal to the converted value in Canadian or American dollars or any other currency, but Agitator was showing instances where the software was yielding such a result.

If the code had gone into production, the mistaken conversions would have cost Abebooks, which deals with booksellers internationally, an estimated $200,000 in the software's first month of operation, Minard says.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of October 9, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll