Tools Help Squash Bugs - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
11:30 AM
Connect Directly

Tools Help Squash Bugs

Security features in software-testing products can highlight vulnerable areas of already-developed code

Even as the front end of application development becomes more automated, a challenge remains on the back end of the process, where the code undergoes testing.

Testing is still often a manual process, one that's done only after the coding is completed and if there's enough time for it. Yet the expense of projects is reduced when bugs and errors are caught early. "Everyone recognizes that testing as early in the development life cycle as possible results in savings," even if they don't do it, says Paul Zorfass, an IDC software-development analyst.

A big area of concern for application project managers is security, and several specialized products have come on to the market to examine code for security holes. Agitar Software's Agitator, Fortify Software's Application Risk Analyzer, LogicLibrary's LogicScan, and Parasoft's JTest and C++Test all have new security features that can highlight vulnerable areas of already-developed code.

At Financial Engines Inc., an administrator of corporate 401(k) plans, it's essential that the company bring new services online as fast as possible to give its customers' employees choices in their retirement plans. What's also essential is that those applications contain no back doors or other exposures that might admit hackers, says Garry Hallee, executive VP of technology. "Our reputation as a 401(k) adviser would be greatly diminished if people thought we were unable to keep our customer data secure," he says.

The human eye isn't as good as an automated tool, Hallee says.

The human eye isn't as good as an automated tool, Hallee says.
At the end of each day's coding, the development team creates a new build--or composite assembly of source code--of a project, even though it remains a work in progress. Then Fortify Software's Application Risk Analyzer is run against it. The scan detects problems as they occur, rather than finding them in a security review at the end of project--or worse, in an outside security audit a year later, Hallee says.

Financial Engines' applications amount to 2 million lines of source code. No matter how hard the human eye tries to close all exposures, it's not as good as an automated tool, Hallee says. "We've done a lot to educate the team, but they can't do as comprehensive an analysis" as an automated tool, he says. "We find problems a lot earlier." And finding problems earlier is the goal. "It's our job to safeguard people's data. That's our whole business. We can't afford to have a security vulnerability," he says.

Jayson Minard, CIO of Abebooks Inc., a $130 million-a-year online used-book seller and supplier to Inc., found a sizable code problem in a project that was thought to be close to completion. When the application was run through Agitar Software's Agitator, an exception appeared that said one of the rules behind the app's currency-conversion engine was being violated. That rule said that a value in one country's currency, such as the British pound, could not be equal to the converted value in Canadian or American dollars or any other currency, but Agitator was showing instances where the software was yielding such a result.

If the code had gone into production, the mistaken conversions would have cost Abebooks, which deals with booksellers internationally, an estimated $200,000 in the software's first month of operation, Minard says.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll