A few months ago, Hewlett Packard announced its intention to acquire Web application scanning tool company SPI Dynamics. Not long before that, IBM/Rational announced intentions to acquire Web application scanning tool company Watchfire. As a moonlighting developer and tester, I'm energized by these moves and wonder what took the Application Lifecycle Management (ALM) tool companies so long to make a move into the secure development space.
One of the most significant challenges in IT security is that of application security. The IT industry is starting to realize that applications are the new security battleground. I have preached for quite some time that the software insecurity problem will never get solved until it is addressed at the developer desktop (which includes testers and other application development team members in that moniker). This marriage of ALM and application security signals a new day in which development teams can now address security issues as applications are being developed as opposed to testing them after the fact.
Application security has followed the same path as application performance and application reliability before that. It is viewed as an isolated aspect of software quality that is frequently not considered as the applications are being built. Similar to the effects that poor performance had on end users, companies don't take enough steps towards fixing the systemic issue (poor code development) until its customers bear the brunt of this. This problem needs to be njpped at the bud at the developer's desktop.
Education continues to be an invaluable, yet overlooked, tool in the application security arsenal for companies today. Many developers don't know how to code for security and testers don't know where or how to look for security vulnerabilities. There are a multitude of assessment tools, but they are helpful only if you can interpret the results. The key is to integrate security into the existing software development process, including security in the definition of overall software fitness.
We've seen the results that developers can achieve when they use best practices and processes outlined by the ALM vendors. They produce software that is infinitely more robust and reliable for a fraction of the cost and effort that it would have required even five years ago. It is promising to imagine all the benefits an organization will realize as security standards become part of these processes.
Now that companies are getting educated on application security, and the large ALM vendors (well, the largest two anyway) are acquiring security tools companies, it seems that we are finally on our way to addressing more of the application security problem. And I'm certain development teams and consumers alike are excited about the prospect of an integrated approach to secure code development.
About the author: John Carmichael is a security trainer and engineer at Security Innovation.