Start-up takes a crack at blocking hackers

The Menlo Park, Calif.-based company, Fortify Software, is offering a set of tools designed to test software for potential flaws, while products are still being built. The tools allow companies to examine the underlying code programmers write more closely, cutting down on the likelihood of security weaknesses, according to Fortify.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

"Despite efforts to eliminate intrusions using perimeter solutions and firewalls, enterprises continue to face potentially disastrous threats due to vulnerabilities in the application layer," Fortify Chairman Ted Schlein said in a statement. "By addressing security vulnerabilities early in the development and release cycle, applications are fortified against security threats."

As part of the launch, Fortify cited a 2003 study published by the FBI and the Computer Security Institute, which indicated that online security attacks are still rising and found that 92 percent of all end-user companies had experienced some form of security lapse in the previous year. In defining its market opportunity, Fortify also pointed to a recent U.S. Department of Justice report that concluded that online fraud and abuse costs more than $400 billion annually in the United States alone.

The company's Source Code Analysis and Run-time Analysis products are designed to help eliminate underlying code flaws by searching for common vulnerabilities such as stack buffer overflows, format string errors and SQL injection exploits. The Source Code Analysis suite scours for such security holes in C/C++ and Java-based applications, while the Run-time Analysis tools allow software developers to test products against potential hacks.

Fortify's strategy of tackling security flaws during the software development cycle makes sense, according to Pete Lindstrom, an analyst at Spire Security in Malvern, Pa., but he noted that it remains hard to find all the potential loopholes.

"There's an obvious benefit, and companies have been trying for some time to catch more bugs before the software is ever released," Lindstrom said. "The challenge is finding an automated solution that can understand all of the different code paths programmers might use--that's a very complex proposition."

The Fortify tools support several different operating systems, including Linux, Microsoft Windows and Sun Microsystems' Solaris. The company said it is making the software available to a select group of testers, with plans to formally introduce initial versions of the products in the second quarter of 2004.

Backed by well-known venture capitalist firm Kleiner Perkins Caufield & Byers, Fortify includes in its executive ranks several security experts, Schlein among them. In addition to being a managing partner at the venture firm, Schlein is a former executive at antivirus software maker Symantec. Also involved in the company is Gary McGraw, an established author on software issues and the chief technology officer at consultancy Cigital, which specializes in security and quality management expertise.

Academic groups and other companies have also attempted to create similar tools. The Splint project aims at creating a software checker that can catch security flaws in C programs. Researchers at other institutions, including Bell Labs and Stanford University, have also created bug-finding software.

Several companies, including software maker Sanctum, focus on Web applications but are considered direct competitors to Fortify.

Lindstrom also pointed out that many vendors, including Microsoft, which bought Intrinsa to build its own testing processes, use internal controls in efforts to weed out potential flaws. Microsoft plans to release some of its technology in future versions of Visual Studio.

CNET News.com's Robert Lemos contributed to this report.