A partnership announced yesterday by Fortify Software and Watchfire, leaders in the application security market, is intended to bring together "white box" and "black box" testing to provide a more complete assessment of application vulnerability throughout the software development life cycle (SDLC).
The results of the partnership will integrate Fortify's Source Code Analysis Suite and Watchfire's AppScan, a Web application vulnerability scanner. With the integration, customers will have a single interface to view vulnerability data in one dashboard.
The integration of these two different types of products makes sense on several fronts, said Barmak Meftah, vice president of engineering and operations at Palo Alto, Calif.-based Fortify. "A lot of our customers already use AppScan, and the correlation of the results we find in the source code and what AppScan finds will provide a complete and accurate list. Static analysis finds a slew of issues, but there are certain security vulnerabilities you can only find when running the application."
The ability to have the integrated results was a request the two companies were hearing from their collective customers, according to Michael Weider, founder and chief technology officer of Waltham, Mass.-based Watchfire.
"If you're trying to get a complete assessment of application vulnerability, then the combination of source code scanning and Web application scanning is needed," said Neil MacDonald, vice president and distinguished analyst at Gartner Inc. in Stamford, Conn. "One or the other alone gets part of the picture, but the best results are to correlate the information to develop a complete picture."
While static source code analyzers and Web application vulnerability scanners are typically used by different parts of the development organization, the integration of the results found in both types of testing "helps both sides of the fence," MacDonald said. For example, he said, a Web application scanner might identify a page that is subject to a SQL injection, and that can help the developer get to the area of the code where the problem exists.
"By correlating the results you could take the developer to the actual line of code that needs fixing, saving time and energy. It's better from the developer's point of view than saying 'this page has a problem,'" MacDonald said.
On the other hand, he said, one criticism of source code scanners is that they find a lot of issues, some serious, some not so serious. "One way to help prioritize efforts is to understand and test if these vulnerabilities are exploitable from the outside world. If you take knowledge of the vulnerabilities in source code, and you test exploitability from a Web app perspective, you can focus on the higher severity problems. It's real from a source code perspective and real from a Web app perspective, so the correlation flows in both directions, and there is value in both."
Education is an additional benefit of this type of integration, said Eric Ogren, a security analyst at Enterprise Strategy Group in Milford, Mass. "It can start pointing out trends from a security standpoint. If [the tools] are catching things, you can use it as education for developers -- things they might not have been exposed to before." For example, he said, "If you're seeding the coding errors of cross-site scripting, you can share [that information] so it's not repeated."
Today, the common denominator driving the use of source code analyzers and Web application scanners is the information security person, Weider said. However, he said he sees a "big turning point" in bringing together the different aspects of application security across the SDLC "instead of viewing software security in isolation between developers and QA. Infosec becomes the common denominator to drive this, but results [of the two types of testing] will be aggregated and will provide for complete results."
Pressure to compete
Driving this partnership between Fortify and Watchfire is the pressure coming from Compuware, MacDonald said. Compuware now offers the DevPartner SecurityChecker and the DevPartner Fault Simulator as part of its DevPartner family.
"I believe the catalyst for these types of strategic relationships was Compuware's entry of source code scanning and Web app scanning integrated into a QA tool environment," he said. "Some tools vendors are starting to make noise, and it indicates that longer term it will put pressure on this market for providing both types of tools, whether through a single company or a partnership."
However, MacDonald added, "Compuware is fairly late." Platform vendors tend to be late and not feature rich but close the gap over time, he said. The partnership between Fortify and Watchfire raises the bar," MacDonald said.
"We've got two products that stand alone that will be made stronger by linking. It also puts pressure on other standalone vendors, most notably SPI Dynamics and Ounce Labs, to also have similar agreements," he said. "It definitely raises the table stakes for vendors in this market space."
Fortify and Watchfire have some prototype integration now and expect to have correlated data by year-end, according to Weider. The partnership also includes joint sales and marketing.