Analysis: Automated Code Scanners

Posted by Justin Schuh on April 13, 2007

Tags: Fortify Software,  K7.5 Enterprise Development Suite,  Klocwork,  Ounce 4.1,  Ounce Labs,  SCA 4.0,  automated code scanners,  data security,  protection,  security,  source-code security analyzers,  Appliances,  Client/Server Protection,  Consulting,  Corporate Data Security,  Data Center Access,  Data Networking & Management,  Data Protection,  Data Security,  Database Management Services,  E-Business and Customer Data Security,  Environment,  Infrastructure,  Internet Security,  Java,  Linux,  Management,  Network Security,  Networking,  New Vulnerabilities,  Other,  Product-Lifecycle Management,  Remote Access Software,  Security Appliances and Hardware,  Security Information Management,  Security and Privacy,  Servers & Storage,  Software and Web Development,  Storage Management Software,  Storage Security,  User Interface,  Vulnerability Assessment Services,  Vulnerability Assessment and Management,  Windows,  ustin Schuh

Channel: Data Protection, Networking & Mgmt, Other, Servers & Storage

Remember when attackers were just out for fame and glory, and application security was someone else's problem? Big targets like Microsoft and Oracle drew the fire. All enterprise IT had to do was apply patches regularly and keep a properly configured firewall.

Those days are gone. Cracking corporate networks is no longer a kid's game, it's a lucrative criminal growth industry. The attackers who stole 45.6 million credit- and debit-card numbers from TJX Companies were professional enough to remain undetected for at least 10 months. Meanwhile, major software vendors, including Microsoft, have improved their security practices, which puts niche and in-house-developed software and Web applications squarely in the bad guys' sights.

It seems enterprise IT is finally grasping the liability insecure coding practices represent. Data protection and application-software security were chosen as the most critical issues through 2008 in the 2006 CSI/FBI Computer Crime and Security Survey, above policy and regulatory compliance, and identity theft/data-leakage prevention.

If you think your network's not at risk, consider that most software isn't built for commercial distribution; it's developed in-house or on contract for specific requirements. Purpose-built apps provide the framework for a huge range of business processes, from dynamic Web sites, SOA (service-oriented architecture) and e-commerce to business process automation and administration. They also provide a target-rich environment for would be attackers.