Reaching out to individual developers, Klocwork is launching Klocwork Developer for Java, a downloadable Eclipse and Rational IDE plug-in for analyzing Java code for security vulnerabilities and defects. The new offering is based on the developer desktop module of the Klocwork Enterprise Suite announced late last year.
According to Nick Allen, director of marketing at Klocwork Inc. in Burlington, Mass., one goal of offering a "lighter" version of its automated code analysis product is to prove the value of such a tool to developers. "When we try to sell enterprise development solutions we can get resistance," Allen said. Many developers are skeptical and think that using such a tool could "slow how they develop code, where speed is king," he said.
Klocwork's move follows a similar move last month by Cenzic, which rolled out two low-cost/no-cost "starter" versions of its Hailstorm application security assessment product targeted at individual developers.
Despite all the recent attention around application security, "it's been very hard to get the awareness that putting security into the software development life cycle makes sense for enterprises; it's seen as an extra step, potentially slowing down the development cycle or the developers," said Diana Kelley, a vice president at Midvale, Utah-based Burton Group.
The adoption of automated code analysis tools for detecting security vulnerabilities has not been the same type of "de facto" decision organizations made about the adoption of firewalls or anti-virus protection, Kelley added. "Companies aren't saying they absolutely have to use an application scanner or source code scanner," she said.
In talking with customers, Kelley said they're asking questions such as, Will these tools slow me down? How will I know I'll end up with a better product? For development organizations, "it's about making sure the process is not slowed down and there is process improvement."
Allen said pricing Klocwork Developer for Java at $299 per developer per year also addresses the price sensitivity in the Java tools market, where developers are used to using open source or low-cost IDEs and Java static analysis tools.
Application security a growing issue
Java developers are also writing more Web-facing applications and security is a rising concern. "In the Java world there is a lot of new and important development work being done that makes it easy for us to showcase the potential problems in the software," Allen said. While Java applications are not as susceptible to the types of code quality defects found in C and C++ programs, they instead have exposure to security defects. And "when most developers are educated, security is not part of it," he said.
Klocwork Developer for Java is designed to get fast, accurate results to developers, which will be key to acceptance, said Ian Gordon, vice president of product management at Klocwork. The product also offers analysis results that are persistent, which allows developers to see newly introduced issues and ensures developers do not look at issues they already investigated. "The value is they can focus on what they want to focus on without going back; so it fits in with the development workflow," Gordon said.
While many open-source offerings focus on coding style issues and defects, the Klocwork product is additionally focused on application security vulnerabilities and uses nine out of OWASP's Top 10 vulnerability list as a benchmark, Gordon said.
Although the adoption of automated tools like Klocwork's has been slower than expected, Kelley said she is seeing more awareness and interest.
"People are realizing it's about the data and who's holding keys to data, and they're understanding that the application is the way people are getting to critical data," she said. "Most organizations are at least looking at one type of tool or another. As far as a requirement that every application developer uses these tools, I don't know when that would be widespread. I hoped it would be closer by now."