Start-up takes a crack at blocking hackers

By Matt Hines
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
- Google
- Newsvine
- Yahoo! Bookmarks
- Twitter
- Stumbleupon
E-mail
Print

Related Stories: Kazaa, eDonkey brace for attack
April 6, 2004; MSBlast not to blame for blackout, report says
April 5, 2004; Cox closes wiretap hole for VoIP
April 5, 2004; Gates reports on security progress
March 31, 2004; As spring arrives, virus spreads seeds far and wide
March 31, 2004

A Silicon Valley start-up launched on Tuesday with the goal of helping software companies shut out hackers.

The Menlo Park, Calif.-based company, Fortify Software, is offering a set of tools designed to test software for potential flaws, while products are still being built. The tools allow companies to examine the underlying code programmers write more closely, cutting down on the likelihood of security weaknesses, according to Fortify.



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

"Despite efforts to eliminate intrusions using perimeter solutions and firewalls, enterprises continue to face potentially disastrous threats due to vulnerabilities in the application layer," Fortify Chairman Ted Schlein said in a statement. "By addressing security vulnerabilities early in the development and release cycle, applications are fortified against security threats."

As part of the launch, Fortify cited a 2003 study published by the FBI and the Computer Security Institute, which indicated that online security attacks are still rising and found that 92 percent of all end-user companies had experienced some form of security lapse in the previous year. In defining its market opportunity, Fortify also pointed to a recent U.S. Department of Justice report that concluded that online fraud and abuse costs more than $400 billion annually in the United States alone.

The company's Source Code Analysis and Run-time Analysis products are designed to help eliminate underlying code flaws by searching for common vulnerabilities such as stack buffer overflows, format string errors and SQL injection exploits. The Source Code Analysis suite scours for such security holes in C/C++ and Java-based applications, while the Run-time Analysis tools allow software developers to test products against potential hacks.

Fortify's strategy of tackling security flaws during the software development cycle makes sense, according to Pete Lindstrom, an analyst at Spire Security in Malvern, Pa., but he noted that it remains hard to find all the potential loopholes.

"There's an obvious benefit, and companies have been trying for some time to catch more bugs before the software is ever released," Lindstrom said. "The challenge is finding an automated solution that can understand all of the different code paths programmers might use--that's a very complex proposition."

The Fortify tools support several different operating systems, including Linux, Microsoft Windows and Sun Microsystems' Solaris. The company said it is making the software available to a select group of testers, with plans to formally introduce initial versions of the products in the second quarter of 2004.

Backed by well-known venture capitalist firm Kleiner Perkins Caufield & Byers, Fortify includes in its executive ranks several security experts, Schlein among them. In addition to being a managing partner at the venture firm, Schlein is a former executive at antivirus software maker Symantec. Also involved in the company is Gary McGraw, an established author on software issues and the chief technology officer at consultancy Cigital, which specializes in security and quality management expertise.

Academic groups and other companies have also attempted to create similar tools. The Splint project aims at creating a software checker that can catch security flaws in C programs. Researchers at other institutions, including Bell Labs and Stanford University, have also created bug-finding software.

Several companies, including software maker Sanctum, focus on Web applications but are considered direct competitors to Fortify.

Lindstrom also pointed out that many vendors, including Microsoft, which bought Intrinsa to build its own testing processes, use internal controls in efforts to weed out potential flaws. Microsoft plans to release some of its technology in future versions of Visual Studio.

CNET News.com's Robert Lemos contributed to this report.

See more CNET content tagged:
Ted Schlein, quality management, hacker, security, software company

Latest tech news headlines

VC confidence level takes third-quarter hit
Posted in News - Digital Media by Dawn Kawamoto

October 15, 2008 12:26 PM PDT
Tesla Motors replaces CEO, plans layoff
Posted in Green Tech by Martin LaMonica

October 15, 2008 12:25 PM PDT
Secunia exploits security suites flaws
Posted in News - Security by Robert Vamosi

October 15, 2008 12:07 PM PDT
See all headlines

Resource center from CNET News sponsors

You Need The Speed of Norton 2009

Introducing Norton Internet Security™2009

With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Digital Media
VC confidence level takes third-quarter hit
The confidence level of Silicon Valley venture capitalists continues to falter and is reaching new lows, according to index results.
Gallery
Photos: Solar business heats up the Golden State
The Open Road
Open source for president? Get real
We're voting for a president, not a software preference. There are bigger issues in front of the U.S. president than whether the government adopts open source.
Beyond Binary
Windows 7 equals some strange math
Although Windows 7 was also the product's code name, the forthcoming version of Windows is not Microsoft's seventh iteration, and it won't carry the version number 7.0.
Video
Apple laptop redesigns and a lower price
News - Digital Media
Who loves an economic crisis? Yahoo Finance
Sites with financial news and data saw record numbers of visitors in September, according to ComScore. Just wait for the October tally.
Video
Apple's latest MacBook Pro
The Social
Facebook announces 25 developer grant finalists
They now have a chance to apply for $225,000 in grant money in the FBFund developer competition's final round--but only if they successfully build the apps first.
News - Cutting Edge
'60 Minutes' video: Drone warfare in Iraq
UAVs like the Predator are a highly valued asset for the U.S. military as it pursues "fleeting and perishable" targets. Lesley Stahl reports.
Gallery
Photos: 'Popular Mechanics' breakthroughs
Webware
Eventful raises $10 million in Series C round
The event-planning site raises $10 million in Series C funding in the hopes that it will expand internationally and become profitable. Will it work?
Green Tech
Tesla Motors replaces CEO, plans layoff
Elon Musk, company investor and chairman, will take over as CEO, replacing Ze'ev Drori, who will join the board. Layoffs are also planned as part of corporate review.