If you’re into source code analysis and Web application security, then you know who Caleb Sima is. Sima, for the uninitiated is cofounder of SPI Dynamics and the guy who helped build the popular static source code analyzer, DevInspect. SPI Dynamics was scooped up three years ago by HP and until recently, Sima has been busy handing off his pride and joy to the computing giant. He’s since left HP and has emerged as CEO of Taipei-based Armorize Technologies.
Armorize does source code analysis and Web application security, and is anxious to spread its influence beyond Asia into the U.S. Sima has known about Armorize for a while, meeting up annually with founders Wayne Huang and Matt Huang at the RSA Conference and learning more about their unique approach to source code analysis.
The company’s CodeSecure product turns static source code analysis on its head. Unlike traditional analysis tools that compile and scan projects and then produce a to-do list of issues and vulnerabilities that pain developers to remediate, CodeSecure does real-time language syntax analysis, Sima said, and like a spell-checker, highlights problematic lines of code and with a right-click of the mouse offers suggested fixes as the developer is typing.
“That’s the way it should be,” Sima said. “We’re enabling developers to identify problems and give them the ability to have standards of remediation practices and standard code practices. It’s agile and that’s the way it should be. The goal is to be able to take the technology and for example, give it to a college kid with little or no experience and have him code a secure Web application.”
This is pretty contrary to what other security companies say about introducing security tools into the development lifecycle, Sima said.
“Security companies are shoving security into the development arena. In my viewpoint, developers shouldn’t learn anything about security. It’s not their job. Ultimately, security should be invisible to the developer; it’s the right way to get things done.”