There's really no excuse any more for deploying insecure software. With the vast majority of software, especially Web applications, becoming blatant targets for hackers everywhere, it was until recently considered understandable if your software was compromised. After all, there are a lot more bad guys out there than any one team of developers can cope with.
But according to Barmak Meftah, senior vice president of products and technology for Fortify Software, the advent of on-demand software assessment tools means that no software should be deployed without first being assessed for known security issues. There might be cases where software comes under some new attack, but by and large there is no reason that known security issues should not be addressed before a piece of software is deployed.
According to Meftah, developers can now take advantage of a new on-demand security assessment service that examines code to identify various security issues. The assessment can take place in a few hours to as long as three days depending on the complexity of the software at a price of about $3,500 for a one-time scan. For more complex projects involving iterative development models, the Fortify service is available for $10,000 a year on an unlimited use basis.
The point, says Meftah, is that software developers have been short-circuiting the security assessment phase of the application development process for years. Now customers can easily scan that software before accepting delivery of it to determine its security weaknesses. Customers can either choose to use Fortify's technology to statically assess a piece of code, or rely on technology from WhiteHat Security that Fortify resells. In either case, customers can choose to examine source code or executables before finding out how secure those applications are the hard way.
As security assessment technologies of all types become available as a service, hopefully in the New Year we'll see a lot more resolutions being kept when it comes to application security that right now is the bane of the Internet.