Integrating Security into Software Development

AppScan Developer Edition provides fully automated application security testing for major development environments

What’s the price of buggy software? According to a study by the National Institute of Standards and Technology (NIST), buggy software hit the U.S. economy for $60 billion last year. The report also suggested that a third of that could have been saved simply through improved testing.

Obviously companies are getting the message—especially Microsoft, known for its software vulnerabilities. In an effort to change that, Bill Gates announced Microsoft’s Trustworthy Computing initiative in January 2002. In an e-mail to employees, Gates said, “We're in the process of training all our developers in the latest secure coding techniques,” then he actually slowed product development cycles to do just that.

Since then, more companies have integrated quality assurance and testing into their development cycles, and new tools are helping them make that easier. One new tool, released by Sanctum, is AppScan Developer Edition (DE) 1.7. It provides fully automated application security testing for major developer integrated development environments (IDEs), including IBM WebSphere Studio Application Developer, Eclipse, Borland JBuilder, and Microsoft Visual Studio. It works for developers on both .NET Framework and Java platforms as a plug-in for the just-mentioned IDEs.

The software works by simulating known attacks, crawling the application under development for vulnerabilities, then flagging those and providing fix advice. The benefit for developers is integrated security checks and reduced time spent troubleshooting application security.

“As development teams strive to build better software faster, making security a natural integrated part of the application development process is key to building robust enterprise scale solutions,” says Frank Slootman, senior vice president of software products at Borland Software Corp.”

Expect to see more such tools in the future. “The acceleration of new Web-based applications calls for automated tools,” notes Charles Kolodgy, a security analyst at International Data Corp. “With AppScan DE, developers have access to an integrated tool that makes secure code an attainable goal so customers can receive quality applications on time,” while keeping costs down. “Because fixing security bugs in production software is so expensive, we believe that tools like this will be a driving force in creating better, more secure, more reliable software across .NET and Java platforms.”

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.