IBM improves software security analysis

IBM announced new software and analysis capabilities that provide a more efficient and accurate way to design and manage secure applications.

By consolidating software vulnerability analysis and reporting into a single view across the whole software application development lifecycle, organizations can now enable development teams to easily identify and test security exposures, helping reduce the risks and costs associated with security and compliance concerns.

Through a consolidated view of software source code assessment and Web application scan results, development teams can now take on the security expertise necessary for today’s software development environments. For example, organizations can use the software to automate application security audits and source code scanning to ensure that the network and Web-based applications are secure and compliant. This delivers improved accuracy of vulnerability identification and remediation.

To further simplify security vulnerability analysis and identification for software developers, IBM Research provided string analysis, a software development capability that helps simplify the security testing process by automatically detecting and verifying which Web application development input needs to be cleansed to remove security risks. This capability helps accelerate the accuracy and efficiency of security testing by the development community, regardless of their security expertise.

According to IBM’s 2010 mid-year X-Force Trend Report, 55 percent of all vulnerabilities come from Web applications, making it the greatest source of risk for organizations. The research indicates that computer security threats rose by 36 percent in the first half of 2010, resulting in more than 4,000 new vulnerabilities being documented compared to last year.

Organizations need to implement security strategies that ensure applications are designed securely across the entire development lifecycle, from start to finish. Finding ways to extend security analysis across more testers in the security process and employing multiple testing techniques will result in higher-quality and more secure applications

The new advancements in the IBM Rational AppScan portfolio simplify and automate security scanning with new hybrid analysis capabilities, improving vulnerability identification and remediation. The hybrid analysis provides automated correlation of results from static code analysis and dynamic analysis to increase vulnerability identification in automated software.

New enhancements to the IBM Rational AppScan portfolio include:

Consolidated view of vulnerabilities: Hybrid Analysis Reporting provides automated correlation of results discovered by static code analysis and dynamic analysis.

Broader scanning access identifies blind spots: Hybrid Analysis Scanning enables the simultaneous application of static code analysis and dynamic analysis testing to identify more vulnerabilities than were previously detectable by software.

Security assessment process simplified: String analysis simplifies the security testing process by automatically detecting what code is meant to cleanse user input in Web applications and also verify it is coded properly.

Multiple frameworks supported: Extensible Application Framework is another innovation in Rational AppScan Source Edition that provides greater visibility and data flow analysis into commercial, open source, and in-house developed Web application frameworks.