HP Updates Fortify Static Code Analyzer

Hewlett-Packard has updated its security and code quality tool after unveiling version 4.0 of its Fortify Static Code Analyzer (SCA).

The enhancements beefs up both the performance, accuracy and feature set of the tool.

Code Testing

Static Analysis refers to the examination of code at rest that is not actually running. Such an analysis can often find programmatic code errors that can impact code execution as well as security.

The SCA 4.0 version is 10 times faster at code analysis than prior releases, Mike Armistead, vice president and general manager, Enterprise Security Products for HP’s Fortify division, told eWEEK. Armistead is a co-founder of Fortify, a company that HP acquired in 2010 for its source-code analysis capabilities.

SCA 4.0 is able to scan source code in 21 different programming languages as well as their associated programming frameworks.

“SCA is all about stitching together an application and giving you an idea of how data may flow through and how functions are used,” Armistead explained.

With the 4.0 release, in addition to the speed boost, there has also been a 20 percent accuracy improvement in code analysis, which means that there will now be fewer false positives for code defects, he said.

In the early days of static analysis, one of the primary defects that was caught is a coding flaw known as a “null pointer.” A null pointer is a code element where a program is trying to access a memory location that doesn’t exist. That flaw can lead to stability and security problems.

While SCA 4.0 will detect null pointers, Armistead noted that those types of errors are more common in the C and C++ programming language than in other languages. As Java and .NET language use has proliferated, there are fewer null pointer defects due to features in those languages that mitigate the risks of the same kinds of memory issues.

Analysis Engine

“The adversary has now also moved on,” Armistead said. “They have moved on to Cross Site Scripting and Cross Site Request Forgery as well as other categories of flaws that have not been as easily recognised by developers.”

SCA 4.0 has its own built-in analysis engine and it also benefits from a quarterly update from HP that delivers intelligence on secure coding rules, Armistead said. HP’s security intelligence has insight into how new forms of attack are taking place and is able to pass along that information to help developers write more secure code.

In the modern development world, a key area of focus for SCA 4.0 is on mobile development, including both Apple iOS and Google Android.

“There are vulnerabilities that are unique to mobile apps,” Armistead said.

The reality is also that even though mobile development and new programming frameworks have emerged over the years, many of the coding mistakes that static analysis can find are the same year-after-year.

“I wish it were sexier than this, but development organisations keep making the same mistakes,” Armistead said.

What do you know about Internet security? Find out with our quiz!

Originally published on eWeek.