News Stay informed about the latest enterprise technology news and product updates.

Parasoft focuses on application security analysis

With the release of its new Application Security Solutions product at JavaOne, Parasoft Corp. is moving beyond application testing to focusing on security-based analysis and standards compliance, according to Wayne Ariola, vice president of corporate development. He discussed the new product in an interview recently at Java One in San Francisco.

One of the biggest problems we've found with security is not that developers don't want to do it. It's that they don't know what's required.
Wayne Ariola
VP of corporate developmentParasoft Corp.
What is this new product that you announced at JavaOne?
What we announced at JavaOne was the Parasoft Application Security Solutions. Needless to say, Parasoft has always had security baked into its products. What we've done in this release is provide much more security-based analysis with configurable rules-based analysis based on business demands. Beyond that, from a Parasoft perspective, what we've done is develop a defect-prevention, error-prevention program for security. It's about aligning developer workflow with security language so you can be more productive. How does that work?
Let's say you have a specific policy defined in your organization that you want to be PCI-complaint, plus you have other rules in your organization around security, quality, reliability, maintainability that you want to monitor. So in a code review process, you want certain artifacts to drop in a peer set at the same time. When that does drop, the package of all this data coming together, it's very critical and there's a lot of it. Our security section translates business semantics into technical help so when the developer knows we're supposed to be PCI-complaint, it's not just a rule that is kind of a generic rule -- these are all generic rules -- it's the encapsulation of what that means to the business that is important. So the special security section allows the developer or the peer code reviewer or the code review session to focus on security. That raises the security IQ of the organization. Is it the security domain people who are using this or is it the people working on policy management?
It's both. This is where it gets interesting. Over the last three to four years, we've seen investment and startups for audit tools. They've been successful in selling an audit solution to someone like a CSO. What happens, though, is that the audit solution once it is run against the code base or an application suite, it's really good at checking for security vulnerabilities. But how do you remediate that?

What Parasoft does is prioritize tasks to help them remediate. For example, you might have a class that has a problem. That goes to the top of the developer's task list so when he comes in the next morning he sees it and knows he has to fix it. From a code review process, that all gets bundled together to show that the developer has violated security rules and you can review that. One of the biggest problems we've found with security is not that developers don't want to do it. It's that they don't know what's required. So automating the policy process that is usually developed by the CSO and getting it back down on the developer desktop is something we're really pushing for security. Does this link up with your SOAtest product?
More information on application security
Eight reasons to do source code analysis on your Web application

The most effective time to do security testing

Secure SDLC: Integrating security into your software development life cycle
They are two separate processes. The SOAtest product does very nice scenario-based penetration. I would never say that SOAtest is a penetration testing tool. What I would say is that SOAtest does a great job of SOA penetration testing. It's scenario-based penetration testing. So we expose errors, but not from an audit perspective instead from a quality perspective. The connection between the audit tool and the SOA solution is they can scan the same code base and correlate together. From a business perspective how does this keep me from burning my fingers on the oven? How does this save me money?
When we go into customers, the questions are more about audits and standards. These things have gotten much more granular in the last 18 months with the new standards because now you have to be PCI-compliant. You have to pass the audit or it will take money out of your pocket. So you've got to actively monitor these things.

Dig Deeper on Software Security Testing Tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.