@stake, Inc. Introduces SmartRisk(tm) Analyzer
Breakthrough Automated Binary Solution Identifies Software Applications Security Flaws
Cambridge, MA, May 24, 2004 - Digital security company @stake, Inc., today introduced its SmartRisk(tm) Analyzer, an automated solution for identifying security vulnerabilities in software applications that looks beneath traditional source code analysis to identify the root cause of security flaws. Using deep static analysis of the application binary code, developers can perform an extensive in-depth analysis by mapping application control and data flow paths into a comprehensive security model, expediting new, legacy and outsourced code review. SmartRisk Analyzer allows developers and quality assurance teams to find and fix security flaws early in the development cycle, reducing risk and saving millions of dollars on expensive incident response, including patch management and enterprise service interruptions.
"Exploiting programming flaws is the primary source of software security breaches today, and the costly development and deployment of a seemingly endless cycle of patches ignores the root cause of security vulnerabilities - insecure coding. Gartner believes the only way for enterprises to break out of a downward worm spiral is make sure vulnerabilities are removed from all the software they buy and build before it goes into product use," said John Pescatore, vice president for Internet security, Gartner."
"We've taken the security intelligence and methodology of our best practices for manual code review from our consulting engagements and built this insight into an affordable automated solution for finding flaws in software applications," said Mike Pittenger, general manager of products, @stake, Inc. "Developers can integrate security into their existing projects and QA processes in a repeatable, measurable way and produce a more secure application at every stage."
Binary Analysis in the Runtime Environment - A Third-Generation Approach
SmartRisk Analyzer's automated static binary code analysis is a third-generation approach that significantly improves application security quality when compared with first- and second-generation source code analysis alone. These previous methods include lexical analysis involving a simplistic search of source code for keywords, and keyword searches combined with contextual analysis.
"Binary analysis tools look at the application within the deployment environment. This analysis addresses variables introduced in the runtime environment," said Charles Kolodgy, research director for security products at IDC. "Most importantly, binary analysis allows developers to identify security vulnerabilities introduced by third-party libraries, even when the source code is unavailable.
Risk Analysis, Flaw Classification and Remediation
SmartRisk Analyzer builds a multidimensional model of the application and runs hundreds of risk analysis scans against the model to identify and prioritize security vulnerabilities. The strength of the risk analysis scans is the knowledgebase built by @stake through its more than 1,000 customer engagements. In conjunction with the multidimensional model of the application, the knowledgebase minimizes "false positive" results common in source code scanners.
The comprehensive scans find flaws related to insecure or improper use of programming languages and standard libraries, flaws that may result from the deployment platform on which the application runs, and other vulnerabilities such as input validation, command and script injection, and backdoors and malware. Flaws are classified and grouped by level of priority from severe to informational and are annotated within the original source code to optimize developer productivity and facilitate the remediation process.
Advanced Vulnerability Reporting - Finding Your Security Quotient
SmartRisk Analyzer provides both detailed developer reports and summary reports for quality assurance and management. Detailed reports enable developers to fix flaws quickly. Summary reports of vulnerabilities by risk, severity and type allow quality assurance staff and management to track flaws and develop historical trends by various criteria. SmartRisk Analyzer assigns risk points for the application and assigns a "Security Quotient" to provide an enterprise-wide view of where the risk resides.
"SmartRisk Analyzer can provide management with comprehensive reports on applications developed in-house or outsourced. The @stake Security Quotient provides a benchmark for every application, allowing managers to monitor improvements in quality and identify weaknesses in their processes," said Pittenger. "The real strength of SmartRisk Analyzer, however, is the power it gives to developers. The detailed reports allow engineers to quickly prioritize vulnerabilities during the development cycle, when changes are most cost-effective," he continued.
Supported Environments and Product Availability
@stake's SmartRisk Analyzer supports C and C++ in Windows and Solaris, as well as Java J2EE. System requirements include Windows 2000, 2003, or XP, a 2GHz CPU, 2GB of RAM and 100MB of disk space. The product is available for license by in-house developers or as part of @stake's consulting services. Product and licensing information and online ordering is available at http://www.atstake.com/products/analyzer or by calling +1.617.621.3500. Download a copy of @stake's white paper, "SmartRisk Analyzer: A New Era of Software Security" at http://www.atstake.com/products/analyzer/acrobat/atstake_sra_whitepaper.pdf
About @stake, Inc.
@stake, Inc., the premier digital security company, helps corporations secure critical infrastructure and electronic relationships. For more information, go to http://www.atstake.com.
# # #
@stake and SmartRisk are trademarks of @stake, Inc.
Other company, product and service names are trademarks or registered trademarks of their respective owners.