Tools Help Keep Bugs Out From The Beginning

Troubleshooting security problems in software that runs the business is a high priority for IT staffs. But there's a growing recognition that catching vulnerabilities during development should be an even higher one.

This week at its TechEd Conference 2005 in Orlando, Fla., Microsoft will demonstrate a code scanner that can identify a security problem, lead a developer to the line of source code that contains it, and even help fix it. SPI Dynamics Inc.'s DevInspect and SecureObjects provide the capabilities. The .Net security tools are being integrated with Microsoft's Visual Studio 2005, expected to be available late this year.

Such tools are becoming more common in the Microsoft and Java/C++ development environments. "Traditionally there's been some looking at the code base, but when you start looking at 10 to 20 million lines for vulnerabilities, that's a challenge," says Howard Schmidt, former special adviser on cyberspace security to the White House and one-time chief security officer for Microsoft. Automated tools can look more methodically and tirelessly than the human eye, Schmidt says.

One source of such technology is traditional software-testing tool suppliers. Mercury Interactive Corp., for example, has licensed SPI Dynamics' code scanner and fixer and offers it with five of its test products.

Even vendors outside the development arena are getting into the act. This week, RSA Security Inc. will make it simpler for developers to add security services to applications without deep knowledge of encryption or digital certificates. The RSA BSafe Data Security Manager provides developers with a drop-down menu of security mechanisms to protect sensitive data. BSafe adds the protection automatically out of view of the programmer rather than through additional laborious programming, says Chris Parkerson, senior product manager.

But startups that have made security a specialty are entering the scene. In addition to SPI Dynamics, there's Coverity Inc., an outgrowth of research by associate professor Dawson Engler at Stanford University's Computer Science Lab. Engler also is Coverity's chief scientist.

With more software being developed for use on the Web, it's critical for developers to understand when they're creating openings for intruders. Engler's research illustrates that many developers assume data inputs from users would be just as they proscribe, leaving an opportunity for intruders to insert JavaScript or HTML code that a server would run as it tried to read the "user" input.

About 80% of existing security exposures, such as buffer overflows or SQL injection, in which SQL commands seize control of a database and are entered instead of requested user data, can be attributed to poor data-input validation, says Caleb Sima, SPI Dynamics' founder and chief technology officer.

Programming efficiency also is becoming more important as companies squeeze IT costs. "Once a security issue shows up in production, it's like putting the software through the development cycle twice. It has to go back to development" to be fixed, says Edward Liebig, principal IT security architect with Computer Sciences Corp. Liebig is former director of IT security at Manulife USA Annuities, now part of John Hancock Financial Services Inc., where he used WebInspect, a code-scanning tool from SPI Dynamics, to review Web apps. He's about to use DevInspect and SecureObjects as part of a CSC development project for a large energy-industry client.

It's important when automatically looking for security holes to not generate a lot of false positives, or conditions that theoretically might leave openings but don't in practice, Liebig says. The best tools, he says, highlight "real, exploitable conditions."