Remember when attackers were just out for fame and glory, and application security was someone else's problem? Big targets like Microsoft and Oracle drew the fire. All enterprise IT had to do was apply patches regularly and keep a properly configured firewall.

Those days are gone. Cracking corporate networks is no longer a kid's game, it's a lucrative criminal growth industry. The attackers who stole 45.6 million credit- and debit-card numbers from TJX Companies were professional enough to remain undetected for at least 10 months. Meanwhile, major software vendors, including Microsoft, have improved their security practices, which puts niche and in-house-developed software and Web applications squarely in the bad guys' sights.

It seems enterprise IT is finally grasping the liability insecure coding practices represent. Data protection and application-software security were chosen as the most critical issues through 2008 in the 2006 CSI/FBI Computer Crime and Security Survey, above policy and regulatory compliance, and identity theft/data-leakage prevention.

If you think your network's not at risk, consider that most software isn't built for commercial distribution; it's developed in-house or on contract for specific requirements. Purpose-built apps provide the framework for a huge range of business processes, from dynamic Web sites, SOA (service-oriented architecture) and e-commerce to business process automation and administration. They also provide a target-rich environment for would be attackers.

In response to this escalating threat, major compliance standards like HIPAA and PCI DSS (Payment Card Industry Data Security Standard) are incorporating--or at least implying the necessity of--application security processes.

Of course, where there's a regulation, there's a marketing op. In this case, makers of automated source-code analysis tools are shifting their focus from commercial software vendors to enterprises. They say adopting their tools will let your developers build more secure software and meet the compliance burden.

But are they up to the job?

To find out, we brought three popular static source-code analyzers into our Chicago Neohapsis partner lab: Fortify SCA (Source Code Analysis) 4.0, Klocwork K7.5 and Ounce Labs' Ounce 4.1. We also asked Coverity to send its Prevent analyzer, but the company declined, citing insufficient resources.

Each product has strengths and weaknesses, but any would be a useful addition to a mature security process. And therein lies our most important point: A code scanner, no matter how effective, is only part of the answer. Without adequate developer training and an SDLC (software development lifecycle) that makes security a priority, no tool will protect your network. Sound familiar?

We've long advocated a defense-in-depth strategy that recognizes that there is no perimeter. Security groups have implemented technologies like host intrusion prevention, NAC and database-extrusion prevention that seek to thwart attackers who have infiltrated outer lines of defense before they gain access to sensitive information.

But that's no longer enough. It's time for enterprise IT to partner with in-house and contract developers to make security Job 1. The application development group and the security group all sit under the CIO, so even though security pros typically have had a different world view from developers, who are mainly concerned with providing the functionality requested by the business, political issues can be overcome.

Continue Reading This Story...

RELATED LINKS Review: Automated Code Scanners eEye's Blink Professional 2.5 Affordable IT: Protocol Analyzers Rolling Review Introduction: Extrusion-Prevention Systems Review: Reconnex's iGuard 2600	IMAGEs Click image to view image
NWC REPORTS Analysis: Automated Code Scanners Get the full PDF of this article at NWC Reports.	NWCANALYTICS.COM Host Intrusion Prevention Systems We examine host IPS in this Network Computing Analytics Tech Report based on an exclusive survey of enterprise users and in-depth lab analysis.