Fortify software, a security test and assessment service provider, now offers security testing and assessment for cloud-destined applications. Fortify 360 and Fortify on Demand services are available for cloud applications as of May 18.
“There are two promises the cloud makes to application developers and their consumers; access to a wider range of software resources and utilities, and having them available at a huge reduction in cost,” said Brian Chess, founder and chief scientist at Fortify. Security has been a primary concern in software from the get go. Chess feels that the cloud, though seemingly more secure on paper, will amplify latent vulnerabilities in applications. There are also concerns in the lack of standardization and measurement within the cloud. “Standardization – the standard of computation in [and out of] the cloud is a limiting factor. So far, we haven’t seen a lot published on how security will be provided and ensured. This may force many application developers to hide behind private clouds, or call for a double-scooping of firewall onto their code.”
In the cloud, pre-existing flaws will be easier to exploit and undermine. Problems will become obvious faster and accessible to much a vaster audience. In risk-prone applications, the possibility for eavesdropping on code lacking fortitude, could become a major issue in the future of cloud computing.
“DNS security has always been a security focal point in the Data Center, it is a known weak spot. But because the weakness is well known, with careful monitoring, organizations have made DNS issues manageable. The cloud however, poses some new challenges — not only do you need to be positive that your DNS security is top notch, now you need to be active and aware of who your computer is communicating with on a much larger scale,” said Chess, who borrowed examples from Apple and Microsoft to illustrate his point.
“Apple and Microsoft have been using automatic updates and automatic patches to fix flaws they’ve uncovered. These are prescheduled and normally occur at times users are not in front of their computer. Many of these updates do not require you to click ‘OK’ or accept that an update is being made. Imagine how similar ‘falsified’ automatic updates would work in a public cloud. They could open some rather large doors for your computer to become part of a Bot network or worse.”
Fortify will address these application security issues via two vehicles, 360 and on Demand. Fortify 360 is the full-scale version of the security testing and assessment provision from Fortify. It includes an assessment service, and a round of penetration, static, runtime and real-time testing. On Demand primarily allows just the penetration and static testing. Add-ons available to customize and add depth to your security testing requirements, but these come at a cost increase.
Fortify will use whichever service the customer chooses to test their application for security in the cloud. Upon purchase, Fortify enters into the application and subjects it to monitoring while they attempt to break into it. Through a partnership with White Hat, Fortify does not require that applications be brought in-house, they perform their tests online on their private network.