ALM Inches a Step Closer to Application Security

Borland’s Gauntlet partners are a first sign vulnerability testing has arrived

By Jennifer deJong

March 1, 2007 —

Application security hasn’t been a high focus area for ALM tool makers, but Borland Software may be showing signs that a change is finally afoot.

When the company announced its Open Application Lifecycle Management strategy earlier this year, it named three application security partners: Cenzic, Fortify and Klocwork. “I am not surprised that [Borland is] pushing security as a big issue,” said Ovum analyst Bola Rotibi. It’s likely to become a big issue for all ALM tool makers going forward, she said.

Included in Borland’s Open ALM announcement was the launch of Gauntlet. The automated build and testing tool is based on technology Borland acquired when it bought Gauntlet Systems last May. Designed to work with

Borland’s Lifecycle Quality Management (LQM) tools—for project management, requirements definition, quality management and change management—Gauntlet provides development teams with an efficient way to subject code to various forms of analysis before it is checked in for a build, noted Forrester analyst Carey Schwaber.

For instance, by plugging Cenzic’s Hailstorm into Gauntlet, a team could conduct black-box tests on its code, simulating actual attacks in order to pinpoint holes a hacker might exploit. In the same fashion, Fortify’s SCA or Klocwork’s K7 could be used to analyze source code for vulnerabilities.

Asked whether Borland’s emphasis on application security is a sign that black-box testing and source code analysis are likely to become integral parts of the ALM process and of the ALM tool set, Borland vice president of product marketing Marc Brown said security is just one among several quality issues.

But Borland agrees that, among ALM tool makers in general, security aspects of quality have not made their way into application life-cycle discussions. “But to be successful with application security—or anything else, for that matter—you have to ensure that discipline is woven into daily practices,” said Borland director of development solutions Rob Cheng. Cenzic vice president of marketing Mandeep Khera agreed. “You have to catch security vulnerabilities earlier in the cycle.” To accomplish that, application security testing must become part of the ALM process, he said.

WHERE DOES IT FIT?
One reason why that hasn’t happened yet is that it is difficult to figure out just where application security fits, said Schwaber. “No one knows where in the development cycle it should go.” It’s not clear whether it’s the responsibility of developers or testers, or that of the information security group, she said. She doesn’t believe Borland is promoting the application security message intentionally. “What [the announced Gauntlet partners] have in common is that all of them do static analysis.”

Infusing analysis into the ALM tool set and the ALM process is what Gauntlet is all about, said Borland’s Cheng. Many ALM tools are integrated with application security offerings, but such integrations are typically point to point, he said. For instance, Cenzic Hailstorm is integrated with Hewlett-Packard’s testing tools, formerly Mercury. And Fortify SCA works with the Rational Software Development Platform. But Gauntlet, when used in tandem with Borland LQM offerings, can bring together data from many different tools, generating reports on key security trends, for instance. “You could see that code checked in by this group of developers resulted in a rise of this particular type of vulnerability,” said Cheng, offering an example. (Forrester’s Schwaber noted that reports that pull data from many different products can also be created with Microsoft’s Visual Studio Team System.)

Ovum’s Rotibi said Borland is taking a much deeper look at some of the individual phases in the ALM process, and application security is a part of that. That approach is “quite canny,” she said. “They have solved their problem around CodeGear,” she said, referring to Borland’s recent spin-off of the developer tools group. “They have nothing to lose, and they are going for it in a big way.”

Share this link: http://www.sdtimes.com/link/30250

IBM implements static analysis in AppScan update The two latest editions of Rational AppScan feature tighter integration with IDEs like Eclipse, and they can use a variety of analysis techniques to scan for problems in code. The new features should be useful in dealing with false positives, IBM says.

News Briefs: October 1, 2008 Rally adds user feedback to its product management program, Sierra Wireless releases an SDK for Windows CE, Aldon adds Zend integration to its product suite and Skyway Builder is now compatible with Mac OS X and Oracle WebLogic 10.

News Briefs: July 1, 2008 Cynergy's relocation triples the size of its headquarters, Microsoft releases version 1 of its Open XML SDK, NelsonHall predicts increased outsourcing, and AccuRev and Rally team up on agile CRM.

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST