A mix of security analysis techniques were added to IBM’s Rational AppScan portfolio, with the introduction of string analysis and static and dynamic hybrid analysis capabilities for Web-based applications.
Productized for the first time by IBM, string analysis is a capability that automatically detects and verifies that input is properly “cleansed” in order to remove security risks, IBM said.
“In Web applications, there is frequent use of user input, [such as] user name and password fields,” explained Patrick Vandenberg, manager of IBM Rational security marketing. “If the code that handles the input doesn’t properly ‘cleanse’ the code for special characters that can be used to inject malicious scripts, the application and the data the application has permission to access becomes vulnerable.
“Developers are generally not aware of the need or how to cleanse the code for this purpose. String analysis helps developers identify the input sanitization routines and also helps verify that they are doing what they are supposed to be doing.”
In addition, hybrid analysis allows developers to automatically see a broader set of vulnerabilities discovered from static and dynamic analyses, IBM said. This capability is initially available for Java applications only.
Aside from offering different analysis techniques to “improve an organization’s security posture,” the idea is to also put vulnerability analysis and testing in the hands of developers, Vandenberg said.
“This is the most cost effective way because it addresses vulnerabilities at the earliest stages and helps remove risks from applications.”