|
|
AS OF 5/17/2008 6:01AM EST
|
ALM Inches a Step Closer to Application Security
Borland’s Gauntlet partners are a first sign vulnerability testing has arrived
By Jennifer deJong
March 1, 2007 —
Application security hasn’t been a high focus area for ALM tool makers, but Borland Software may be showing signs that a change is finally afoot.
When the company announced its Open Application Lifecycle Management strategy earlier this year, it named three application security partners: Cenzic, Fortify and Klocwork. “I am not surprised that [Borland is] pushing security as a big issue,” said Ovum analyst Bola Rotibi. It’s likely to become a big issue for all ALM tool makers going forward, she said.
Included in Borland’s Open ALM announcement was the launch of Gauntlet. The automated build and testing tool is based on technology Borland acquired when it bought Gauntlet Systems last May. Designed to work with
Borland’s Lifecycle Quality Management (LQM) tools—for project management, requirements definition, quality management and change management—Gauntlet provides development teams with an efficient way to subject code to various forms of analysis before it is checked in for a build, noted Forrester analyst Carey Schwaber.
For instance, by plugging Cenzic’s Hailstorm into Gauntlet, a team could conduct black-box tests on its code, simulating actual attacks in order to pinpoint holes a hacker might exploit. In the same fashion, Fortify’s SCA or Klocwork’s K7 could be used to analyze source code for vulnerabilities.
Asked whether Borland’s emphasis on application security is a sign that black-box testing and source code analysis are likely to become integral parts of the ALM process and of the ALM tool set, Borland vice president of product marketing Marc Brown said security is just one among several quality issues.
But Borland agrees that, among ALM tool makers in general, security aspects of quality have not made their way into application life-cycle discussions. “But to be successful with application security—or anything else, for that matter—you have to ensure that discipline is woven into daily practices,” said Borland director of development solutions Rob Cheng. Cenzic vice president of marketing Mandeep Khera agreed. “You have to catch security vulnerabilities earlier in the cycle.” To accomplish that, application security testing must become part of the ALM process, he said.
WHERE DOES IT FIT?
One reason why that hasn’t happened yet is that it is difficult to figure out just where application security fits, said Schwaber. “No one knows where in the development cycle it should go.” It’s not clear whether it’s the responsibility of developers or testers, or that of the information security group, she said. She doesn’t believe Borland is promoting the application security message intentionally. “What [the announced Gauntlet partners] have in common is that all of them do static analysis.”
Infusing analysis into the ALM tool set and the ALM process is what Gauntlet is all about, said Borland’s Cheng. Many ALM tools are integrated with application security offerings, but such integrations are typically point to point, he said. For instance, Cenzic Hailstorm is integrated with Hewlett-Packard’s testing tools, formerly Mercury. And Fortify SCA works with the Rational Software Development Platform. But Gauntlet, when used in tandem with Borland LQM offerings, can bring together data from many different tools, generating reports on key security trends, for instance. “You could see that code checked in by this group of developers resulted in a rise of this particular type of vulnerability,” said Cheng, offering an example. (Forrester’s Schwaber noted that reports that pull data from many different products can also be created with Microsoft’s Visual Studio Team System.)
Ovum’s Rotibi said Borland is taking a much deeper look at some of the individual phases in the ALM process, and application security is a part of that. That approach is “quite canny,” she said. “They have solved their problem around CodeGear,” she said, referring to Borland’s recent spin-off of the developer tools group. “They have nothing to lose, and they are going for it in a big way.”
|