Curbing security issues in software applications becomes focus for developersIRVINE, Calif., March 8, 2006
It's a fact: Security issues, from worms to viruses and hacking, continue to grow at a staggering rate and perpetrators of these attacks continue to look for new and interesting ways to find and exploit these security holes. Virus protection vendors are continually challenged with the next new worm and they're making valiant efforts to fix these attacks before they cause too much damage.
As software security issues rise to the forefront, having been outdone by operating system security holes over the last few years, vendors will find themselves in a pickle to address heated customer inquiries and demands to fix security issues in a timely manner. The big question: What's being done to keep software security issues under control? The answer: A lot of after-the-fact effort versus preemptive strategies.
According to Beyond Security, a leading provider of security assessment technologies and the founder and operator of www.securiteam.com the largest independent security portal, the problem with security holes in operating systems and software programs is growing. "In 2004, we documented 1,258 security holes and in 2005 that number grew to 1,523 security holes," said CEO Aviram Jenik.
As computer hackers refocus their efforts from operating systems to targeting desktop software applications, the need for software developers to implement a bullet-proof process for safeguarding their applications is more important than ever. However, this is no small feat as quality assurance (QA) teams have traditionally focused on testing applications for code defects and are not accustomed to testing for security holes.
The concept of vulnerability assessment testing during the development process has, up to now, been wishful thinking. Challenges include aggressive development schedules that leave little room for comprehensive testing and inadequate security testing tools. Many software vendors are making an honest effort to fix the problem but are ineffective because of the existing tools at their disposal. Other vendors hire consultants to perform manual security audits or have adopted first generation security testing tools that are not up to the task. These solutions are often chosen because vendors are unaware of other alternatives.
However, the reality is that software vendors must channel their energies in the direction of vulnerability assessment testing before products hit the street because they will soon face compliance requirements and customers that insist on more secure products. Many large organizations will require their software suppliers to conduct security reviews of their products before they use it and there is an increasing appreciation for secure products.
Beyond Security believes that this problem isn't as daunting as it seems. Founded in 1999, Beyond Security has built its reputation on its network security solutions that facilitate preemptive, real-time and continuous network, server, database and application security. Their flagship product, Automated Scanning, conducts automatic penetration testing on a daily basis and has been adopted by a variety of global-based companies that include systems integrators like IBM, EDS and Lucent Technologies, financial industry players that include American Express and Garenti Bank, consumer goods providers like Rayovac and Siemens and variety of other companies in a range of vertical industries.
Beyond Security is readying its latest product, beSTORM, which is a security assessment tool that uncovers unknown security vulnerabilities in products during the development cycle. beSTORM focuses on network-enabled applications and models the protocols used to communicate with them. beSTORM exercises the protocol with a specific emphasis on technically legal but functionally erroneous cases. Simply put, beSTORM performs an exhaustive protocol analysis in order to uncover new and unknown vulnerabilities in network products which differ from older generation tools that use attack signatures or attempt to locate already known vulnerabilities. Unlike source code audit tools, beSTORM does not require the source code and has much lower false positives.
beSTORM is targeted to software developers and QA professionals, or better yet, security professionals for a software company whose mission is to ensure the security of its solutions before entering the market.
"We live in strange times where insecure software applications are common," added Jenik. "Once software developers begin to use beSTORM as a way to gain an edge over their competitors, market forces will shift making secure products the norm and pre-release security testing the standard."
beSTORM employs a client/server architecture and runs on Windows, UNIX and Linux. General availability for beSTORM is scheduled for later this month.
About Beyond Security
Beyond Security, a privately-held company, develops leading vulnerability assessment and self-management solutions that facilitate preemptive, real-time and continuous network, server, database and application security. The company was founded in 1999 by the founders of SecuriTeam portal (www.securiteam.com), a leading source for vulnerability alerts and solutions serving 1.5 million monthly page views to IT security professionals. Beyond Security's founders are great believers in automation, which is why the company sells tools instead of using them to provide services. Beyond Security's goal is to decrease the number of security holes in products to manageable levels and empower software vendors to release secure products. For more information, visit www.beyondsecurity.com.