A new company hopes to make life a lot harder for malicious hackers, releasing technology that analyzes computer code for security violations and enforces secure coding practices.
Fortify Software Inc., a startup company based in Menlo Park, Calif,, plans to unveil two new product suites on Monday, one to inspect source code written in the C++ and Java programming languages, the other to probe security holes in software applications, the company said.
The new products give companies a way to strengthen software applications against attack by spotting and removing common vulnerabilities like buffer overflows, format string errors and unchecked input from the product code early in the development process, said Mike Armistead, Fortify vice-president of marketing.
At the heart of Fortify's products is technology called "extended static checking" that analyzes the properties of software code rather than the behavior of the finished program, said Brian Chess, chief scientist at Fortify.
Most source code analysis products work by trying to "stimulate" finished software applications with long lists of data and produce an invalid response. Extended static checking enables Fortify's products to enumerate all the paths in computer code that can take action or "execute," quickly spot sensitive areas in the computer code, then determine the exact limits of the vulnerability, he said.
That makes Fortify's product different from those of competitors such as Sanctum Inc. and SPI Dynamics Inc., said Theresa Lanowitz, research director at Gartner Inc.
"Fortify tackled this problem of security at the application level from a developer perspective only," she said.
Fortify Source Code Analysis is a suite of products that includes the Fortify Developer Toolkit and Fortify Source Code Analysis Server that compare code to a list of more than 500 vulnerabilities published by software quality management company Cigital Inc.
The Developer Toolkit is a desktop application that runs on Linux and Windows desktops and works with leading Integrated Development Environments (IDEs) to pinpoint security vulnerabilities early on, as code is being written and tested, Armistead said.
"The developer gets output that looks like output from a compiler," he said. For example, the Fortify Developer Toolkit might spot the developer using a software function that is known to introduce security risks.
"Instead of a compiler error saying 'I can't parse this,' developers will get a Fortify error saying that they're using a dangerous function, why not to use it and here's what could happen if you do use it," Chess said. "The idea is that just because a program compiles correctly, it's not necessarily a good program. So if the security checker doesn't like the program, you need to fix it."
The Analysis Server is another component of the Fortify Source Code Analysis product that analyzes software code for vulnerabilities and security flaws during "integration builds," when the work of multiple developers is knitted together, Armistead said.