Now that it's been widely acknowledged that applications are as much a target for hackers as networks and operating systems, companies will have to reassess how they build security into the software they write and purchase. Tools to examine software vulnerability in the design and testing stages have existed for years, but are now getting easier and more intuitive to use as companies face the evolving landscape of threats.

Watchfire Corp. Monday introduced a new version of its Web application testing software that not only identifies software vulnerabilities, but offers suggestions to fixing those problems. The company's AppScan 6.0 also includes a redesigned user interface that lets users customize screens, prioritize vulnerability listings, and test the compliance of their applications against 31 different government regulations, including the Sarbanes Oxley, the Federal Information Security Management, and the Gramm-Leach Bliley acts.

AppScan is also available in a developer edition, which gives programmers the ability to test Web applications while they're working in the Borland JBuilder, IBM WebSphere, Microsoft Visual Studio.Net, and Eclipse environments.

Ninety percent of Watchfire's customers audit and test their applications only after the applications have been developed and gone through quality assurance, says company founder and CTO Michael Weider. "At that stage, you don't have a lot of time to fix an application before it goes to the production phase," he says. "The challenge is testing applications thoroughly in a timely fashion."

As a result, software development kits that help programmers weave in tighter security from the outset will be on a lot of wish lists in 2006. Encryption software maker 2factor Inc. got an early jump on the holiday season Tuesday by introducing its Real Privacy Management SDK, designed to let companies develop applications that perform continuous mutual authentication of users and encryption of data.

Unlike Secure Sockets Layer, or SSL, encryption, 2factor's RPM purports to provide the ability to authenticate and encrypt every transmission for both sender and receiver across any network, on any device. RPM doesn't perform the initial authentication to start a transaction; "we update the master key each time you want to communicate with the server," says CEO Paul McGough. 2factor's RPM SDK beginning in February will be available in Basic and Gateway versions. Basic provides core authentication API integration within applications, while Gateway provides IP socket layer and cryptographic support.

The emergence of software-development tools that address application vulnerabilities help the security situation, but more needs to be done to change the underlying application development mindset. "Security is not a coding problem," says Jon Gossels, the president of security consulting firm SystemExperts Corp., which next week will formally introduce its Security Blanket consulting and monitoring suite of services. "It has more to do with design. There needs to be a security policy established at the front end; you can't inspect in quality at the end of the process."

Watchfire and competitive offerings from Kavado Inc. are a good start to improving application security, says SystemExperts consultant Jason Reed. The trick is using a static testing platform to check the security of Web applications, which are typically highly customized. Ultimately any company will need a combination of these tools along with a clear policy of focusing on key security tenets, including proper authentication, access control, and session management.