Honing in on the need for more security in application development, IBM Rational is planning an enterprise-level product that features two separately acquired technologies for security testing and code scanning.
The product, which would be released later this year, would feature Rational AppScan testing capabilities, acquired when IBM bought Watchfire in 2007, and the former Ounce Labs software that checks code for security issues, said David Grant, director of security solutions at Rational, in an interview late last week. IBM bought Ounce last year.
“[The combined product] brings a whole new level of accuracy to security testing,” Grant said.
AppScan has tested software from the inside, looking at applications already built, while Ounce does inside-out testing of source code for security flaws. “What we’re working on is really bringing those two together,” said Grant. IBM furthered development of AppScan in 2008 to feature analysis during the software development process.
AppScan technology, Grant said, has been embedded in Rational software delivery lifecycle products, such as RequisitePro and Quality Manager. Ounce technology also is being incorporated into Rational offerings.
Application security is becoming more important because software is driving everything these days and Web applications are front-ending business application, Grant said. This can expose systems to outsiders, including malicious individuals, who can access sensitive information, Grant said. But security typically has not been at the forefront of software development, he said.
“The problem with application security is developers typically aren’t trained, aren’t incented, to be honest with you,” to prevent security flaws in applications, Grant said. Security issues can occur such as SQL injection, in which a database gives improper access to information, or cross-site scripting, in which a browser session is hijacked.