Review: Series of tools helps shore up faulty coding |
 |
By James C. Foster, Contributor
03 Nov 2005 | Information Security magazine |
|
|
CodeAssure Suite
Secure Software
Price: Starts at $49,000 for 10 developers
Exposed vulnerabilities continue to rise, and Internet worms are still wreaking havoc, but the focus shouldn't stray from the root cause of most Internet-borne attacks--insecure software.
Secure Software has created a solid series of tools to remedy most vulnerabilities in insecure source code. Its core CodeAssure Workbench component finds buffer overflows, format string issues, hard-coded clear-text passwords and potentially insecure listening sockets, while CodeAssure Management Center provides a means for reporting on these issues in multiple formats.
Make no mistake--Secure Software's CodeAssure Suite is enterprise software for computer scientists and programmers, not security engineers. Installation and integration within the software development lifecycle could take a week or two of planning with a couple days set aside for actual implementation.
Workbench ships with approximately 6,000 vulnerability identification rules spread across 11 general categories including cryptography misuse, general defects, range and type tracking, and clear-text passwords. It can analyze C, C++ and Java; the vendor is considering adding C#, Perl and VB.NET in the near future. All of these languages, plus Javascript and ASP.NET, would be welcomed additions.
We tested Workbench against Firefox, GAIM and BitTorrent, and found numerous vulnerabilities, including buffer overflows and improper function and method usage. Unfortunately, we are not aware of any source code analysis product that answers the key question: Are these identified vulnerabilities actually exploitable? Vulnerabilities are important, but vulnerabilities that could be exploited by remote anonymous attackers are much more important.
Running your first analysis can be complicated and requires some developer skills; you have to create a project within the application, configure your workspace (where the files will be stored), configure the app to understand what type of program you will be analyzing, and then configure the "Run" function. A team of Secure Software specialists and your developers could complete this in a morning.
CodeAssure Management Center provides the enterprise-level reporting required for medium-to-large development environments. Key reports include security and bug trends and project comparisons. You can identify teams with less secure programming experience and track whether the teams are getting better or worse.
CodeAssure Integrator is designed to infuse automated security assessments into software development cycles. It permits the system to query and report on bugs and trouble tickets. Integration within your software bug tracking or ticketing system is highly recommended, as most mature dev teams implement bug tracking systems to help wrap processes and even SLAs to find and fix software glitches.
The CodeAssure Suite has reports that are tailored for security and development organizations, but be prepared for a challenge. The security team is likely to recommend this type of software in the near future as the technology continues to mature, but neither security nor development will voluntarily jump to put it in their budgets.
This software has proven the ability to find vulnerabilities that all Web application scanners will miss--such as embedded clear-text passwords and poor crypto implementations--but justifying its cost for a large development environment and its limited language support may set back implementation for the next 12 to 18 months.
This product review appears in the November 2005 issue of Information Security magazine.
|
