Security Bytes

Mar 5 2010   1:12AM GMT

Static source code analysis turned on its head



Posted by: maxsteel
Tags:
Armorize
Caleb Sima
HP
SPI Dynamics
static source code analysis

If you’re into source code analysis and Web application security, then you know who Caleb Sima is. Sima, for the uninitiated is cofounder of SPI Dynamics and the guy who helped build the popular static source code analyzer, DevInspect. SPI Dynamics was scooped up three years ago by HP and until recently, Sima has been busy handing off his pride and joy to the computing giant. He’s since left HP and has emerged as CEO of Taipei-based Armorize Technologies.

Armorize does source code analysis and Web application security, and is anxious to spread its influence beyond Asia into the U.S. Sima has known about Armorize for a while, meeting up annually with founders Wayne Huang and Matt Huang at the RSA Conference and learning more about their unique approach to source code analysis.

The company’s CodeSecure product turns static source code analysis on its head. Unlike traditional analysis tools that compile and scan projects and then produce a to-do list of issues and vulnerabilities that pain developers to remediate, CodeSecure does real-time language syntax analysis, Sima said, and like a spell-checker, highlights problematic lines of code and with a right-click of the mouse offers suggested fixes as the developer is typing.

“That’s the way it should be,” Sima said. “We’re enabling developers to identify problems and give them the ability to have standards of remediation practices and standard code practices. It’s agile and that’s the way it should be. The goal is to be able to take the technology and for example, give it to a college kid with little or no experience and have him code a secure Web application.”

This is pretty contrary to what other security companies say about introducing security tools into the development lifecycle, Sima said.

“Security companies are shoving security into the development arena. In my viewpoint, developers shouldn’t learn anything about security. It’s not their job. Ultimately, security should be invisible to the developer; it’s the right way to get things done.”

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: