Security features in software-testing products can highlight vulnerable areas of already-developed code
Even as the front end of application development becomes more automated, a challenge remains on the back end of the process, where the code undergoes testing.
Testing is still often a manual process, one that's done only after the coding is completed and if there's enough time for it. Yet the expense of projects is reduced when bugs and errors are caught early. "Everyone recognizes that testing as early in the development life cycle as possible results in savings," even if they don't do it, says Paul Zorfass, an IDC software-development analyst.
A big area of concern for application project managers is security, and several specialized products have come on to the market to examine code for security holes. Agitar Software's Agitator, Fortify Software's Application Risk Analyzer, LogicLibrary's LogicScan, and Parasoft's JTest and C++Test all have new security features that can highlight vulnerable areas of already-developed code.
At Financial Engines Inc., an administrator of corporate 401(k) plans, it's essential that the company bring new services online as fast as possible to give its customers' employees choices in their retirement plans. What's also essential is that those applications contain no back doors or other exposures that might admit hackers, says Garry Hallee, executive VP of technology. "Our reputation as a 401(k) adviser would be greatly diminished if people thought we were unable to keep our customer data secure," he says.
The human eye isn't as good as an automated tool, Hallee says.
At the end of each day's coding, the development team creates a new build--or composite assembly of source code--of a project, even though it remains a work in progress. Then Fortify Software's Application Risk Analyzer is run against it. The scan detects problems as they occur, rather than finding them in a security review at the end of project--or worse, in an outside security audit a year later, Hallee says.
Financial Engines' applications amount to 2 million lines of source code. No matter how hard the human eye tries to close all exposures, it's not as good as an automated tool, Hallee says. "We've done a lot to educate the team, but they can't do as comprehensive an analysis" as an automated tool, he says. "We find problems a lot earlier." And finding problems earlier is the goal. "It's our job to safeguard people's data. That's our whole business. We can't afford to have a security vulnerability," he says.
Jayson Minard, CIO of Abebooks Inc., a $130 million-a-year online used-book seller and supplier to Amazon.com Inc., found a sizable code problem in a project that was thought to be close to completion. When the application was run through Agitar Software's Agitator, an exception appeared that said one of the rules behind the app's currency-conversion engine was being violated. That rule said that a value in one country's currency, such as the British pound, could not be equal to the converted value in Canadian or American dollars or any other currency, but Agitator was showing instances where the software was yielding such a result.
If the code had gone into production, the mistaken conversions would have cost Abebooks, which deals with booksellers internationally, an estimated $200,000 in the software's first month of operation, Minard says.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.