@stake, Inc. Introduces SmartRisk Analyzer - Breakthrough Automated Binary Solution to Identify Security Flaws in Software Applications.Business Editors/High-Tech Writers Microsoft TechED teched adj. Variant of tetched. 2004 Booth # 635 CAMBRIDGE, Mass.--(BUSINESS WIRE)--May 24, 2004 Developers and QA Can Address Security at the Start of the Application Lifecycle Saving Millions on Incident Response Digital security company @stake, Inc., today introduced its SmartRisk(TM) Analyzer, an automated solution for identifying security vulnerabilities in software applications that looks beneath traditional source code analysis to identify the root cause of security flaws. Using deep static analysis of the application binary code binary code Code used in digital computers, based on a binary number system in which there are only two possible states, off and on, usually symbolized by 0 and 1. Whereas in a decimal system, which employs 10 digits, each digit position represents a power of 10 (100, 1,000, , developers can perform an extensive in-depth analysis by mapping application control and data flow paths into a comprehensive security model, expediting new, legacy and outsourced code review. SmartRisk Analyzer allows developers and quality assurance teams to find and fix security flaws early in the development cycle, reducing risk and saving millions of dollars on expensive incident response, including patch management The installation of patches from a software vendor onto an organization's computers. Patching thousands of PCs and servers is a major issue. A patch should be applied to test machines first before deployment, and the testing environments must represent all the users' PCs with their unique and enterprise service interruptions. "Exploiting programming flaws is the primary source of software security breaches today, and the costly development and deployment of a seemingly endless cycle of patches ignores the root cause of security vulnerabilities - insecure coding. Gartner believes the only way for enterprises to break out of a downward worm spiral is make sure vulnerabilities are removed from all the software they buy and build before it goes into product use," said John Pescatore, vice president for Internet security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. , Gartner." "We've taken the security intelligence and methodology of our best practices for manual code review from our consulting engagements and built this insight into an affordable automated solution for finding flaws in software applications," said Mike Pittenger, general manager of products, @stake, Inc. "Developers can integrate security into their existing projects and QA processes in a repeatable, measurable way and produce a more secure application at every stage." Binary Analysis in the Runtime Environment A configuration of hardware and software. It includes the CPU type, operating system and any runtime engines or system software required by a particular category of applications. See runtime engine. - A Third-Generation Approach SmartRisk Analyzer's automated static binary code analysis is a third-generation approach that significantly improves application security quality when compared with first- and second-generation source code analysis alone. These previous methods include lexical analysis (programming) lexical analysis - (Or "linear analysis", "scanning") The first stage of processing a language. The stream of characters making up the source program or other input is read one at a time and grouped into lexemes (or "tokens") - word-like pieces such as keywords, involving a simplistic sim·plism n. The tendency to oversimplify an issue or a problem by ignoring complexities or complications. [French simplisme, from simple, simple, from Old French; see simple search of source code for keywords, and keyword searches combined with contextual analysis. "Binary analysis tools look at the application within the deployment environment. This analysis addresses variables introduced in the runtime environment," said Charles Kolodgy, research director for security products at IDC. "Most importantly Adv. 1. most importantly - above and beyond all other consideration; "above all, you must be independent" above all, most especially , binary analysis allows developers to identify security vulnerabilities introduced by third-party libraries, even when the source code is unavailable." Risk Analysis, Flaw Classification and Remediation SmartRisk Analyzer builds a multidimensional mul·ti·di·men·sion·al adj. Of, relating to, or having several dimensions. mul  ti·di·men model of the application and runs hundreds of risk analysis scans against the model to identify and prioritize security vulnerabilities. The strength of the risk analysis scans is the knowledgebase built by @stake through its more than 1,000 customer engagements. In conjunction with the multidimensional model of the application, the knowledgebase minimizes "false positive" results common in source code scanners. The comprehensive scans find flaws related to insecure or improper use of programming languages and standard libraries, flaws that may result from the deployment platform on which the application runs, and other vulnerabilities such as input validation, command and script injection, and backdoors and malware. Flaws are classified and grouped by level of priority from severe to informational and are annotated within the original source code to optimize developer productivity and facilitate the remediation process. Advanced Vulnerability Reporting - Finding Your Security Quotient quotient - The number obtained by dividing one number (the "numerator") by another (the "denominator"). If both numbers are rational then the result will also be rational. SmartRisk Analyzer provides both detailed developer reports and summary reports for quality assurance and management. Detailed reports enable developers to fix flaws quickly. Summary reports of vulnerabilities by risk, severity and type allow quality assurance staff and management to track flaws and develop historical trends by various criteria. SmartRisk Analyzer assigns risk points for the application and assigns a "Security Quotient" to provide an enterprise-wide view of where the risk resides. "SmartRisk Analyzer can provide management with comprehensive reports on applications developed in-house or outsourced. The @stake Security Quotient provides a benchmark for every application, allowing managers to monitor improvements in quality and identify weaknesses in their processes," said Pittenger. "The real strength of SmartRisk Analyzer, however, is the power it gives to developers. The detailed reports allow engineers to quickly prioritize vulnerabilities during the development cycle, when changes are most cost-effective," he continued. Supported Environments and Product Availability @stake's SmartRisk Analyzer supports C and C++ in Windows and Solaris, as well as Java J2EE (Java 2 Platform, Enterprise Edition) A platform from Sun for building distributed enterprise applications. J2EE services are performed in the middle tier between the user's machine and the enterprise's databases and legacy information systems. . System requirements To be used efficiently, all computer software needs certain hardware components or other software resources to be present on a computer system. These pre-requisites are known as (computer) system requirements and are often used as a guideline as opposed to an absolute rule. include Windows 2000, 2003, or XP, a 2GHz CPU CPU in full central processing unit Principal component of a digital computer, composed of a control unit, an instruction-decoding unit, and an arithmetic-logic unit. , 2GB of RAM and 100MB of disk space. The product is available for license by in-house developers or as part of @stake's consulting services. Product and licensing information and online ordering is available at www.atstake.com/products/analyzer or by calling +1.617.621.3500. Download a copy of @stake's white paper, "SmartRisk Analyzer: A New Era of Software Security" at www.atstake.com/products/analyzer/acrobat/atstake_sra_whitepaper.pdf About @stake, Inc. @stake, Inc., the premier digital security company, helps corporations secure critical infrastructure and electronic relationships. Delivering world-class consulting and education through its SmartRisk(TM) methodology and products, @stake clients include six of the world's top ten financial institutions, four of the world's top ten independent software companies and seven of the world's top ten telecommunications carriers. As the first company to develop an empirical model that measures Return On Security Investment (ROSI ROSI Return on Security Investment ROSI Repository of Student Information ROSI Rollergirls of Southern Indiana (Evansville, IN) ROSI Raytheon Optical Systems Incorporated ROSI Romanian Open Source and Free Software Initiative ), @stake helps clients keep security investments in line with business requirements. Headquartered in Cambridge, MA, @stake has offices in Chicago, London, New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of , Raleigh, San Francisco San Francisco (săn frănsĭs`kō), city (1990 pop. 723,959), coextensive with San Francisco co., W Calif., on the tip of a peninsula between the Pacific Ocean and San Francisco Bay, which are connected by the strait known as the Golden , and Seattle. For more information, go to www.atstake.com. @stake and SmartRisk are trademarks of @stake, Inc. Other company, product and service names are trademarks or registered trademarks of their respective owners. |
|
Printer friendly
Cite/link
Email
Feedback
Reader Opinion