Code Security...How to find and fix vulnerabilities

During our studies at eMSIST, we have read and discussed security risks and vulnerabilities, but it never dawned on me that the vulnerabilities may be within the code itself.  I had the opportunity to learn about the HP Fortify code analyzer the other day while speaking to an HP analyst https://www.fortify.com/products/hpfssc/index.html.

The Military Health System analyzed over 5 million lines of code in their electronic health record using both static and dynamic code tools this past year and discovered thousands of vulnerabilities.  Two good things came out of this.  First, we integrated code analysis into all new software development projects to identify and fix problems immediately.  This reduced costs dramatically because we fixed problems early.  Secondly, we used the analysis findings to prioritize code defect fixes that bubbled up from trouble tickets to prioritize which defect to fix first.

OWASP or Open Web Application Security Project encourages the use of a code analyzer during software development as a powerful tool that gives the developer immediate feedback with recommendations how to re-write the code. https://www.owasp.org/index.php/Source_Code_Analysis_Tools  Although code analyzers are excellent tools, they cannot detect all vulnerabilities and have particular difficulty in the area of authentication, access control and encryption.  Because the only look for problems in the code, they cannot identify configuration or infrastructure issues.

On September 12, 2011 Information Week reported that HP Expands Security Offerings http://www.informationweek.com/news/security/app-security/231601254 providing dynamic analysis for web applications in the cloud.