Parasoft Corp., a provider of solutions and services that deliver quality as a continuous process throughout the Software Development Lifecycle (SDLC), has enhanced its Application Security Solution to help companies identify run-time security vulnerabilities and monitor security policy compliance.
With this enhancement, Parasoft is leveraging data flow analysis with knowledge of security artifacts to show end-to-end how a hacker's tainted data could infect code, said Matt Love, an application security architect at Parasoft.
"Originally it was a quality tool, because it could do things like identify points in code where null points were assigned and how it might flow," Love said. "What we've done with this release is combine our security analysis with our data analysis engine. So we have a real end-to-end security analysis solution that will start at a point where a hacker might enter tainted data and trace the flow of the data and show how it goes from one file to another and bypass any validation -- and might be passed to a database."
The latest enhancements not only draw upon a knowledge base of common attack patterns, but they also enable organizations to map the data flow logic to their own security policy. And based on the policy that's running, tasks are pushed to the developers' desktops.
"The developer is not fumbling around with an analysis tool. They're working through the prioritized issues that land in their task list. This combination gives them the ability to correct the defects," said Wayne Ariola, vice president of corporate development at Parasoft.
By showing developers how tainted data can flow through an application, it's easier to persuade developers to fix their code, Love added.
"People are hesitant to fix code because think it isn't their responsibility. We can prove that it can get from point A to point B without validation. We can show how it can slip through that hole," he said.
Ariola said this is more than just bug-finding exercises. "It really fits into the policy-based approach," he said.
Neil MacDonald, vice president and Gartner Fellow, said security should be an integral part of the SDLC, not an afterthought.
"The notion of application 'quality' which has traditionally focused on functionality and performance must be expanded to include security," he said in a prepared statement. "Native integration of security testing capabilities into the SDLC environment will increase the likelihood of acceptance by the development organization."
For more information about Parasoft's Application Security Solution, visit Parasoft's Web site.