SPI Dynamics beefs up DevInspect tool

By Michelle Davidson, Site Editor 06 Nov 2006 | SearchAppSecurity.com

Software quality news and advice Digg This!     StumbleUpon     Del.icio.us

When it comes to protecting applications from attack, you need to cover all your bases. That job got a little easier for Java developers this week with SPI Dynamics announcement of DevInspect 3.0.

SPI Dynamics' Hybrid Analysis, a combination of source code analysis and black box testing previously available for just .NET applications, now runs on J2EE applications.

"We're taking the advancement of Hybrid Analysis in the .NET market and broadening it," said Jason Schmitt, product manager of developer and QA products at SPI Dynamics. "DevInspect 3.0 is the most complete and unmatched combination of platform support, tool integrations and analysis approaches."

The importance of the Hybrid Analysis, Schmitt said, is that the information gained from the source code analysis is used in cooperation with the black box security testing.

We can focus the black box testing on what we know about the code from the source code analysis. And the black box testing can add value to what is found during the source code analysis. Jason Schmitt Product manager, SPI Dynamics

First, the source code analysis defines the application attack surface, identifying all application inputs and finding common security coding errors and all potential vulnerabilities, he said. Then the black box testing uses the intelligence and data from the source code analysis to discover and verify exploitable security defects using automated attack techniques against running applications.

"We can focus the black box testing on what we know about the code from the source code analysis. And the black box testing can add value to what is found during the source code analysis," Schmitt said.

DevInspect for Java is available as a standalone tool or as a plug-in to the most popular Java integrated development environments, including the Eclipse platform and IBM Rational Application Developer (RAD) versions 6 and 7. DevInspect for Java also integrates with IBM Rational ClearQuest for the creation and management of security defects within the development team.

Automatic code fixes
DevInspect 3.0 also provides automatic remediation of code in .NET applications. "Now we can take the information and not just suggest fixes but automatically remediate," Schmitt said.

The tool tells you what code it's about to apply, and it can make the change automatically or it can be set up so the developer decides whether to apply the changes.

This feature will be available for Java applications in early 2007, Schmitt said.

Support for Microsoft ASP.NET 2.0 AJAX
Developers creating applications with ASP.NET 2.0 AJAX (formerly called Atlas) can also use DevInspect 3.0 to test the security of those extensions. That makes it the first security product to analyze and remediate security vulnerabilities in Web applications built using ASP.NET AJAX, Schmitt said.

"Ajax applications are difficult to analyze because user requests are always changing," he said. "But we can look deeply into Ajax now. Analysis of the source code can help pinpoint things before running a black box test."

More information about vulnerability analysis Ways to automate SQL injection testing Web application security testing reaches new level Learning Guide: Application security testing techniques

Schmitt added that SPI Dynamics worked closely with Microsoft's ASP.NET AJAX team when creating this feature. So, when AJAX is released, DevInspect will be fully capable of testing those types of extensions.

DevInspect 3.0 for Microsoft Visual Studio Team System
SPI Dynamics also announced the release of DevInspect 3.0 for Microsoft Visual Studio Team System, an integrated defect tracking and configuration management product. The tight integration of DevInspect with Visual Studio Team System enables developers to share data about security defects with their entire development team, Schmitt said.

Additionally, the product boasts an added security control that checks code for vulnerabilities before code is checked in. "If it has a vulnerability, it won't allow it to be checked in," Schmitt said. "We want to make sure vulnerabilities aren't introduced."

DevInspect 3.0 costs about $3,000 per user. It will be available Dec. 1, 2006. For more information, please visit SPI Dynamics' Web site.

Tags: Software security testing and techniques,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software security testing and techniques Web application security best practices: Tips on implementation Testing strategies for complex environments How to make your software tamperproof Ways to approach application performance testing on a tight budget How can I tell if my software security has been breached? Is online application testing for smartphones different from other software testing? Software testers facing six big challenges today, StarWest keynoter says Lesser-known free software testing tools testers should try Is manually testing a software project for flaws too risky? Affordable automated testing tools for securing websites

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary