Fortify traces security vulnerabilities

Source code analysis specialist Fortify Software releases tool that hunts down vulnerabilities

Source code analysis specialist Fortify Software has released a new tool designed to enable firms to identify and manage vulnerabilities in their software by making their black box security testing processes more effective.

Fortify Tracer provides code-level information for programmes which can help security professionals and developers maximise the efficiency of their black box testing, and it can also be used to augment third-party testing systems, said the firm's founder Roger Thornton.

"It takes a programme, goes inside it and finds all the places in the code where an interesting security action occurs," he explained. "In large business systems the amount of vulnerabilities per line of code are staggeringly high considering the relative importance of business applications compared to desktop software."

The product shows security testers where in the source code vulnerabilities are located so they can be remediated swiftly. It also provides detailed reports and dashboards to communicate this data, sorting the vulnerabilities according to the 118 categories identified in Fortify's database of vulnerability patterns.

"For penetration or quality assurance testers that want to do security testing it's a must have tool," argued Thornton. "It finds the same security vulnerabilities the bad guys do – tools like this can really eradicate a lot of the problems out there."

Andy Kellett of analyst Butler Group cautioned that the technology would only be of value to organisations if their developers first have the appropriate level of security expertise.

He added that because the tool is not an end-to-end solution, this could provide a barrier to adoption.