The Fortify Developer Toolkit and Source Code Analysis Server can be used by developers to scan their code for potential vulnerabilities before deployment. A Software Security Manager piece can be used by project managers to oversee the process.
The software works by parsing through source code looking for things like unchecked buffers or unchecked data types in input fields. The software has a list of about 540 rules it checks against, each a variation of one of a dozen vulnerability types.
In addition to the source code analysis software, Fortify will also release a runtime vulnerability analysis tool, which can be used to conduct penetration testing against applications that have already been compiled.
PayPal Inc, the payments-processing subsidiary of eBay Inc, is Fortify’s first named customer, said Mike Armistead, founder of the Menlo Park, California-based firm. Competitors include Sanctum Inc and SPI Dynamics Inc.
Armistead said the differentiator here is that Fortify scans source code looking for problems, whereas the competition acts like a hacker, throwing bad data at a functional application, hoping to break something and be able to execute malicious code.
The company may need the differentiator, as it has some catching up to do in terms of distribution. Its rivals already have partnerships in place with IDE and QA tools vendors, making it easier to put product in developers’ hands.
Sanctum, for example, has referral sales deals with Microsoft, Borland, IBM and others. Its AppScan software can integrate with their IDEs. SPI Dynamics says it has partnerships with IBM and Mercury Interactive.
It will eventually be important for us to do that, in the event that the market is commoditized like that, but it’s not necessary out of the gate, said Armistead. Not everyone uses IDEs.
This article is based on material originally published by ComputerWire
