Security concerns grow every day for application developers. With public-facing Web applications, mobile devices and wireless connections everywhere, sometimes software can feel as though it’s being built with a target on its back. But a host of new security solutions from the likes of Denim Group, Sonatype and Veracode are attempting to rectify security concerns throughout the development process.
Traditionally, software development security has been handled with code scanners like Coverity and FindBugs. But such tools have been hampered by false positives, as well as their reliance on end developers to keep all security concerns in their own corner and to both find and solve these problems themselves.
John Dickson, CEO of the Denim Group, said that his company understands the gaps that exist in the software development security life cycle. To this end, the Denim Group has created ThreadFix, a process-based solution that he claimed can solve the systemic problems with application development security.
“The market is growing quite a bit,” said Dickson of the software security assurance market. “What we’ve seen with our enterprise customers is that when they have over 500 applications, they’re struggling to look at this in a programmatic way. They bought a bunch of Fortify, but they’re struggling to get coverage of their application portfolio.
“What ThreadFix does is it helps to address the challenge of getting a software security process up and running. You have all these different teams scanning code or live applications, and it collects all the data from these different scanners and helps the security analyst through the process of turning these into actionable items.”
Thus, ThreadFix has hooks into popular code-scanning and security tools, and offers a central place to track all discovered security issues. This gives managers a single place to observe all of the security concerns around an application portfolio, and to track the correction of these bugs through additional hooks into the source-code repositories.
Dickson said ThreadFix was created to address what he sees as a major problem in enterprise application security. “We’re starting to see that application vulnerabilities persist far longer than network vulnerabilities. These vulnerabilities will sit out there for months at a time. For the most part, network vulnerabilities are fixed in a matter of days or weeks. In the application-level world, it’s weeks or months. Part of the reasons is [enterprise application developers] don’t know. If they knew and were able to quantify those vulnerabilities, they would be fixed sooner.”
Repository medicine
Sonatype, the company behind open-source project Maven, has taken a new approach to its business in order to address security. Jason van Zyl, founder of Sonatype and creator of the Maven project, said that he realized soon after his new CEO Wayne Jackson, who has a software security background, joined the company that Sonatype was in a terrific position to offer security to its users. And so the company has added a security element on top of its offerings.
Maven works by using a central repository for storing verified Java artifacts. That means all the popular libraries, projects, frameworks and code stores are generally available in the Maven Central repository for anyone in the world to use for their builds.
This places Maven at the top of the Java food chain, and van Zyl said that Sonatype is in a unique position to observe all security updates for the entirety of Java. Thus, he said, Sonatype can serve as a security Sherpa for enterprises that use open-source Java components.
“We’re purely focused on the third-party open-source component consumption. We’ve had to make something pretty sophisticated to look into a JAR file or classes,” said van Zyl. He said that not only is Sonatype tracking major security vulnerabilities in Java projects, the company has also released scanning tools to check for open-source code embedded or modified in other programs. This ensures that existing vulnerabilities aren’t missed when they exist inside other code.
How does Sonatype stack up against traditional security-scanning companies? “They’re focused on scanning your code, we are focused on working with the third-party open-source binaries we download,” said van Zyl. “As far as we can tell, our customers’ application development has essentially become component assembly, we’ve seen [that] upward of 80% of it is open-source components, or higher. Then there’s the small bit of business code you’re writing that adds value.”
Commercial accountability
While Sonatype is focused on ensuring the security of existing open-source components, and alerting users when they need to update a vulnerable library, SaaS code-scanning company Veracode is taking on matters from the other side of the fence. While Veracode cut its teeth scanning binaries for security holes, it’s now offering to scan third-party applications for a fee as well.
Ed Jennings, executive vice president of sales, marketing and services at Veracode, said that this new approach is quite vast compared to straight code scanning.
“The program we’re enabling is vendor application security testing,” he said. “This is a fully outsourced program. Our application security experts come in and define the policies you want for third-party applications—what they’re going to have to do for compliance, and such. We get the list of all application partners and their contact info, and we’ll take responsibility for reaching out to those partners scanning the applications. We’re helping them scan the output and to perform other forms of mitigation. Then we work them through to comply to the enterprise policy.”
This approach takes the security compliance burden off the end users, said Jennings. “We would be testing 100 out of 10,000 applications for a bank. They pay for us to go scan third-party vendor applications. They had to prioritize the 100 highest-risk vendors. They’ll keep paying for those, but for the thousands of other vendors, they give us the list of contacts and applications, and then we go contact them directly for our new mandate. This allows for enterprises to scale thousands of applications, while diffusing the cost to the supply-chain partners themselves.”
But no matter the solution, it would seem that security is not just something that can be fixed by pointing an in-IDE tool at the developer and throwing alerts when coding policies are violated. With so many applications coming from so many different sources, simple code scanning and in-IDE compliance tools aren’t enough to ensure security in this dangerous new world.