News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

ASP.NET MVC 2 Ships
ASP.NET MVC 2 has shipped.
03/12/2010 10:26 AM EST

Microsoft plans 'open' Silverlight analytics framework
Microsoft is going to announce a multipurpose analytics framework for Silverlight at MIX.
03/11/2010 09:51 AM EST

About CSS processing
Two sites that lead to a startling CSS conclusion.
03/10/2010 02:29 AM EST

3/14/2010 to 3/18/2010
Seattle, Wa.
SHARE

Cloud Connect

3/15/2010 to 3/18/2010
Santa Clara, Calif.
TechWeb

Microsoft MIX10

3/15/2010 to 3/17/2010
Las Vegas
Microsoft

SharePointPro Summit & Expo

3/16/2010 to 3/19/2010
Las Vegas
Penton Media

TheServerSide Java Symposium

3/17/2010 to 3/19/2010
Las Vegas
TechTarget

HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON ESDC IPHONEDEVCON PRIVACY POLICY CONTACT US

Printable version

HOME >> LATEST NEWS

Most Read Latest News Blog Resources

Even with its success, .NET causes some consternation
Despite its popularity, the developer community believes that .NET isn't being fully serve...

Appcelerator dev environment targets Android, iPhone
This unified development environment compiles JavaScript into Objective-C or Java, and wil...

VMware releases Tomcat-based server for Spring
SpringSource and VMware are moving their platforms closer together with tc Server for Spri...

IBM pushes EGL as key to legacy modernization
Rational Migration Extension for Rich UI can transform CA green-screen interfaces to EGL c...

Zend Server 5.0 adds debugging for PHP
Black box debugging and a job queue highlight the new features for the latest version of Z...

VersionOne extends agile project management solution
VersionOne Ultimate Edition offers a trio of components that push agile functionality out ...

ASP.NET MVC 2 Ships
ASP.NET MVC 2 has shipped.

Microsoft plans 'open' Silverlight analytics framework
Microsoft is going to announce a multipurpose analytics framework for Silverlight at MIX.

About CSS processing
Two sites that lead to a startling CSS conclusion.

Overcoming Development Challenges with Open Source Open source software can help you with your application development challenges. It doesn’t...

Accelerate Services and the Cloud Business units, functional groups, and different divisions of companies across industries...

Enterprise Mashup Platforms for Today’s Increasingly Complex and Real-Time Context Enterprise Mashups offer your company a new way to connect data from inside and outside yo...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

IBM implements static analysis in AppScan update

By Jeff Feinman

September 23, 2008 —

IBM has released two new editions of its Rational AppScan security product to integrate security into the development and build stages of the software life cycle.

Rational AppScan Developer Edition (DE) and Rational AppScan Build Edition, released yesterday, give developers a “finite list” of vulnerabilities. They also integrate into IDEs like Rational Application Developer and Eclipse, according to IBM executives.

The integration feature of Rational AppScan DE makes it easier than using a separate product or scan. David Grant, director of marketing for IBM Rational’s security solutions, said it’s like a spell-checker built into those environments. It generates reports as actionable task lists instead of detailed vulnerability reports to help fix issues faster. The edition also integrates with Rational AppScan’s Reporting Console to provide Web-based reporting.

IBM executives claimed Rational AppScan DE is the first industry product to include static analysis, black box testing, runtime analysis and string analysis.

String analysis focuses on resolving false positives, which IBM said is the biggest challenge plaguing current security code scanning solutions. It is a patent-pending technique that brings automation to code analysis.

Until now, the most advanced technique for analyzing code security was taint analysis, which tracked input values through the system but relied on the developer to determine if the data was properly analyzed, IBM said. String analysis, however, automates code analysis configuration to help eliminate false positives.

“If you think about the problem with code testing for security, at least, you need a knowledge of both code and security,” Grant said. “String analysis is a form of static testing that gives the user more understanding of the application, and [it] automates more of the discovery of the application and the actual scan test configuration so that you’re not leaving [it] in the hands of the developer having to know how to tweak a test or scan before actually running the test.”

Rational AppScan Build Edition, meanwhile, embeds Web application security testing into build management in order to automate security testing. It is focused on finding vulnerabilities early in the development life cycle, and like Developer Edition, combines multiple analysis techniques for scanning, according to IBM. Build Edition can also automate application vulnerability scanning and do things like JavaScript execution and Web Service testing.

“When the build runs, whether it be nightly or weekly, we can test for security issues as part of that build automation, and then reject the build or send back the issues to developers,” Grant said. “They can then open AppScan DE within the IDE and fix those tickets and issues.”

Related Search Term(s): ALM, security, IBM

Share this link: http://www.sdtimes.com/link/32889

Application security, IBM style Jack Danahy, founder of Ounce Labs, discusses acquisitions by IBM and what he sees in the security space

IBM integrates Web application security Big Blue links WebSphere DataPower’s SOA Appliances with Tivoli Security Policy Manager to make security management easier.

IBM acquires security testing company Ounce Labs Ounce's source code analysis software is expected to extend IBM’s application security and compliance products.

Add comment

Name*
Email*
Country

Comment
Preview

IBM implements static analysis in AppScan update

By Jeff Feinman

Related Articles

Add comment