Many vulnerabilities exist because programmers don't consider how a hacker might try to break their code. Years ago, for example, it might not have occurred to a Web programmer that an attacker would exploit a field in a database query to launch a buffer overflow or SQL injection attack. "The earlier you find problems like this, the less expensive they are to fix," says Fortify Software CEO John Jack.
Fortify Software's Source Code Analysis looks for areas of code that would be vulnerable to attack. The software sits on a company's application development build server, which developers use to compile their code. Source Code Analysis scans the code and alerts the developer of any potential problems.
Source-code tools aren't new; earlier incarnations tested programs to make sure that areas of code executed according to plan so that users got the experience that vendors promised. This new generation of analysis technology, including software from Fortify, Agitar Software's Agitator, Parasoft's JTest and C++test, and Watchfire's AppScan, are tuned specifically to address security concerns during the application development and testing phases. "Instead of looking at what the code should be doing, we look at what the code should not be doing," Jack says.
Oracle and Fortify have been working together over the past 12 months to scale Source Code Analysis to run on Oracle's large code base. Oracle is by far Fortify's largest customer, although the company's customer base also includes Macromedia Inc., which on Dec. 5 was bought by Adobe Systems Inc.
Both Oracle and Fortify say that the cost of implementing Source Code Analysis will not add to the cost of Oracle's software and will ultimately save customers money by cutting down on the amount of patches that must later be implemented.