updated 4/7/2004 10:01:14 PM ET 2004-04-08T02:01:14

The world runs on software, and much of it is a buggy mess -- written on the fly by committees under deadline pressure, re-jigged to adapt to new functions, patched together with unexamined chunks of standby code. It is a small wonder that hackers take down bigger and bigger computer systems every year.

"People have always been reluctant to impose policies" on creating software without security gaps, says Mike Armistead, founder of Fortify Software, a Menlo Park, Calif., startup that aims to do that. "We want to simulate attacks so you know how [the software] will act before something bad really happens."

Aided by so-called white hat hackers (who point out potential security flaws before the bad guys find them), Fortify has produced development and analysis tools aimed at finding the flaws before a software application is released. One product looks for underlying security flaws in applications by checking every line of code at the end of a day's work. Another examines the entire structure when the software application is done, creating a sort of hacker's travel guide of likely vulnerabilities.

In effect, Fortify is taking a page from so-called "zero-defect" manufacturing: If you want to solve a problem effectively, you must locate it at the very beginning. Catching it further down the line just raises the expense of a fix.

Microsoft, with its numerous security patches on already-released products, should be listening. But Microsoft is hardly alone in sending out vulnerable code; the usual remedy of security software is firewalls, which check incoming messages for viruses, worms and other havoc-raisers. Between products and services, the firewall and intrusion detection business pulls in about $30 billion a year, enriching companies like Symantec and Check Point Software Technologies. The entire business is predicated on the idea that, inside the corporate system, there is badly built software that will be attacked.

Fortify's approach certainly seems simpler and cheaper -- partial toolkits for developers will cost $3,500 apiece and a full package is expected to run $150,000. Armistead counts himself lucky to have seen the opportunity first. "We kept reading different things, all the articles we could find," he says. "We kept waiting for someone else to reach the same conclusions."

Somebody already has, according to established developer-tools companies such as Borland and IBM. "We have capabilities that have a similar approach -- go through the daily build, look for known flaws," says Chris O'Conner, director of security strategy at IBM. Those products, which have been available for several years, are designed mostly for the Java programming language, he adds. Fortify, backed by venture capital giant Kleiner, Perkins, Caufield & Beyers, and started with just $4.7 million, claims to work in Java as well as languages C and C++, among others. Early customers include eBay's PayPal subsidiary.

But IBM and Fortify-type security analysis is not enough, O'Conner says. IBM also works to install security components in generally agreed upon programming standards, and teaches programmers how to look out for common hazards and associate the right privacy standards with the application being developed.

Security has become tougher, O'Conner notes, as computers move from machines inside corporate data centers to client/server designs to Internet-based computing. "Privacy and identity management become a lot more important," he says, noting that a recent security alliance between IBM and Cisco Systems takes things even further, so that the network itself can manage identities of things like cars or washing machines that are increasingly wired in. "There are a lot of disconnected devices that aren't tied to people," O'Conner says. "That will really change how much you have to program in."

© 2012


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments

Data: Latest rates in the US

Home equity rates View rates in your area
Home equity type Today +/- Chart
$30K HELOC FICO 3.79%
$30K home equity loan FICO 4.99%
$75K home equity loan FICO 4.69%
Credit card rates View more rates
Card type Today +/- Last Week
Low Interest Cards 13.83%
Cash Back Cards 17.80%
Rewards Cards 17.18%