Security concerns grow every day for application developers. With public-facing Web applications, mobile devices and wireless connections everywhere, sometimes software can feel as though it’s being built with a target on its back. But a host of new security solutions from the likes of Denim Group, Sonatype and Veracode are attempting to rectify security concerns throughout the development process.
Traditionally, software development security has been handled with code scanners like Coverity and FindBugs. But such tools have been hampered by false positives, as well as their reliance on end developers to keep all security concerns in their own corner and to both find and solve these problems themselves.
John Dickson, CEO of the Denim Group, said that his company understands the gaps that exist in the software development security life cycle. To this end, the Denim Group has created ThreadFix, a process-based solution that he claimed can solve the systemic problems with application development security.
“The market is growing quite a bit,” said Dickson of the software security assurance market. “What we’ve seen with our enterprise customers is that when they have over 500 applications, they’re struggling to look at this in a programmatic way. They bought a bunch of Fortify, but they’re struggling to get coverage of their application portfolio.
“What ThreadFix does is it helps to address the challenge of getting a software security process up and running. You have all these different teams scanning code or live applications, and it collects all the data from these different scanners and helps the security analyst through the process of turning these into actionable items.”
Thus, ThreadFix has hooks into popular code-scanning and security tools, and offers a central place to track all discovered security issues. This gives managers a single place to observe all of the security concerns around an application portfolio, and to track the correction of these bugs through additional hooks into the source-code repositories.
Dickson said ThreadFix was created to address what he sees as a major problem in enterprise application security. “We’re starting to see that application vulnerabilities persist far longer than network vulnerabilities. These vulnerabilities will sit out there for months at a time. For the most part, network vulnerabilities are fixed in a matter of days or weeks. In the application-level world, it’s weeks or months. Part of the reasons is [enterprise application developers] don’t know. If they knew and were able to quantify those vulnerabilities, they would be fixed sooner.”
Sonatype, the company behind open-source project Maven, has taken a new approach to its business in order to address security. Jason van Zyl, founder of Sonatype and creator of the Maven project, said that he realized soon after his new CEO Wayne Jackson, who has a software security background, joined the company that Sonatype was in a terrific position to offer security to its users. And so the company has added a security element on top of its offerings.