LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 7/1/2009 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
Is the mystery Borland suitor Serena?
Borland software is considering an offer from another company after a preliminary deal with MicroFocus. Is Serena the new company?
06/30/2009 01:55 PM EST

Windows 7 - An eBayer's dream product?
Windows 7 pre-orders can make people money on eBay.
06/29/2009 03:48 PM EST

Know thine cloud provider
Cloud computing require companies to understand compliance and regulation. Third parties will play a big role in regulated industries.
06/29/2009 02:58 PM EST

 

Microsoft Worldwide Partner Conf.
7/13/2009 to 7/16/2009
New Orleans
Microsoft

OSCON (Open Source Convention)
7/20/2009 to 7/24/2009
San Jose
O'Reilly Media

XBRL Technology Workshop & Summit
7/28/2009 to 7/30/2009
Santa Clara
XBRL US

ACM SIGGRAPH
8/3/2009 to 8/7/2009
New Orleans
ACM SIGGRAPH

OpenSource World (formerly LinuxWorld)
8/12/2009 to 8/13/2009
San Francisco
IDG World Expo


 
print Printable version 
Most Read Latest News Blog Resources
Kapow automates website data retrieval
Kapow Technology's Web Data Server 7.0 can be used to create modules that navigate through...

COBOL’s future lies in the clouds
After 50 years of use in businesses, COBOL is still lingering around mainframes. But the s...

Oracle's Fusion 11g lays groundwork for ERP platform
Fusion's components are standards-based and integrated, but some abilities are lost if non...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

ALM Inches a Step Closer to Application Security


Borland’s Gauntlet partners are a first sign vulnerability testing has arrived

By Jennifer deJong
March 1, 2007 — 
Application security hasn’t been a high focus area for ALM tool makers, but Borland Software may be showing signs that a change is finally afoot.

When the company announced its Open Application Lifecycle Management strategy earlier this year, it named three application security partners: Cenzic, Fortify and Klocwork. “I am not surprised that [Borland is] pushing security as a big issue,” said Ovum analyst Bola Rotibi. It’s likely to become a big issue for all ALM tool makers going forward, she said.

Included in Borland’s Open ALM announcement was the launch of Gauntlet. The automated build and testing tool is based on technology Borland acquired when it bought Gauntlet Systems last May. Designed to work with

Borland’s Lifecycle Quality Management (LQM) tools—for project management, requirements definition, quality management and change management—Gauntlet provides development teams with an efficient way to subject code to various forms of analysis before it is checked in for a build, noted Forrester analyst Carey Schwaber.

For instance, by plugging Cenzic’s Hailstorm into Gauntlet, a team could conduct black-box tests on its code, simulating actual attacks in order to pinpoint holes a hacker might exploit. In the same fashion, Fortify’s SCA or Klocwork’s K7 could be used to analyze source code for vulnerabilities.

Asked whether Borland’s emphasis on application security is a sign that black-box testing and source code analysis are likely to become integral parts of the ALM process and of the ALM tool set, Borland vice president of product marketing Marc Brown said security is just one among several quality issues.

But Borland agrees that, among ALM tool makers in general, security aspects of quality have not made their way into application life-cycle discussions. “But to be successful with application security—or anything else, for that matter—you have to ensure that discipline is woven into daily practices,” said Borland director of development solutions Rob Cheng. Cenzic vice president of marketing Mandeep Khera agreed. “You have to catch security vulnerabilities earlier in the cycle.” To accomplish that, application security testing must become part of the ALM process, he said.

WHERE DOES IT FIT?
One reason why that hasn’t happened yet is that it is difficult to figure out just where application security fits, said Schwaber. “No one knows where in the development cycle it should go.” It’s not clear whether it’s the responsibility of developers or testers, or that of the information security group, she said. She doesn’t believe Borland is promoting the application security message intentionally. “What [the announced Gauntlet partners] have in common is that all of them do static analysis.”

Infusing analysis into the ALM tool set and the ALM process is what Gauntlet is all about, said Borland’s Cheng. Many ALM tools are integrated with application security offerings, but such integrations are typically point to point, he said. For instance, Cenzic Hailstorm is integrated with Hewlett-Packard’s testing tools, formerly Mercury. And Fortify SCA works with the Rational Software Development Platform. But Gauntlet, when used in tandem with Borland LQM offerings, can bring together data from many different tools, generating reports on key security trends, for instance. “You could see that code checked in by this group of developers resulted in a rise of this particular type of vulnerability,” said Cheng, offering an example. (Forrester’s Schwaber noted that reports that pull data from many different products can also be created with Microsoft’s Visual Studio Team System.)

Ovum’s Rotibi said Borland is taking a much deeper look at some of the individual phases in the ALM process, and application security is a part of that. That approach is “quite canny,” she said. “They have solved their problem around CodeGear,” she said, referring to Borland’s recent spin-off of the developer tools group. “They have nothing to lose, and they are going for it in a big way.”


Share this link: http://www.sdtimes.com/link/30250
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading