Journey through Enterprise IT Services
In Journey through Enterprise IT Services, Nadhan, HP Distinguished Technologist, explores the IT Services industry, and discusses technology trends in simplified terms.

Fortify the dynamic enterprise with static code analysis tools

Security is what I had in mind when I started teaching my daughter driving recently. I explained all the steps that a good, secure driver must take before setting the vehicle in motion when it is static – at rest. While these are really simple steps to ensure, for example, that the mirrors are positioned properly and the turn signals are functioning, they are also powerful life-saving steps once the vehicle is in motion. Applications are like cars in many respects. Therefore, enterprises should take a similar approach before putting their applications in motion. It is much easier to take precautionary measures by scanning the source code for vulnerabilities – way before running the binary code. Simple techniques, such as visual inspection, have proven powerful in the past. Imagine having a tool to automate such techniques and execute them faster that runs parallel to software development. Well, you don’t have to imagine any longer!

 Picture1.png

 

So, what are the key characteristics that best define a static code analysis tool?

 

1. Coverage: It is important that the generated information addresses potential issues across multiple application paradigms; including mobile, web and client-server applications.

 

2. Duration: Source code assessments to identify vulnerabilities must be effective and fast. Scalable solutions in the Cloud can be leveraged to that end.

 

3. Assurance: Accuracy of the identified vulnerabilities is a defining aspect of such tools.  You don’t want application development teams chasing a nuance that seems vulnerable, but turns out to be a false alarm.

 

4. Impact: Security measures employed during software development should minimally impact the software development timeline while ensuring a secure product at the end.

 

5. Partnership: Static code analysis is one of the instruments used as part of the overall risk management strategy for the enterprise. Enterprises must work with trusted partners across the application life cycle to proactively anticipate security vulnerabilities and take proactive measures upstream, during every phase of the SDLC.

 

These are the critical aspects of a type of tool that can effectively address static code analysis in your enterprise.

Keeping these in mind, please take a close look at what Alastair Stevenson has to say about the latest release of HP Fortify Static Code Analyzer in V3 and let me know what you think. You can also attend these sessions at the HP Protect 2013 conference:

As a parent, I care about the security of my children – especially when they are driving their cars. It will be much more difficult to control the outcomes of “breaches” or “violations” once the car is in motion. I would rather be assured that the car is safe even before it is started.

 

Newton immortalized the laws of motion. How does this sound to you as Nadhan’s Law of Secure Applications:

 

Applications must at least be secure at rest for them to be secure when in motion.

 

What measures are you taking to assess the security of your applications at rest? Would you be attending the Fortify sessions at HP Protect 2013? Is your car secure at rest? Are your applications secure in motion? Do you have a second law for secure applications? Please let me know.

 

Team up with HP Technology Expert, E.G.Nadhan

 

Connect with Nadhan on: Twitter, Facebook, Linkedin and Journey Blog.

 

References

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation