Move to acquire Infrared Security will add static code analysis to WhiteHat’s dynamic vulnerability testing platform.
WhiteHat Security has acquired static code analysis technology from Infrared Security in a move to add the functionality to its Sentinal code analysis application, which until now has solely focused on dynamic vulnerability testing.
The move brings in a cadre of well known secure software development experts, including Jerry Hoff, Jim Manico and Eric Sheridan, all active members of the Open Web Application Security Project (OWASP). WhiteHat said the team will guide the integration of their existing SaaS-based code testing tool into the WhiteHat Sentinel product line. They will also guide research and product development.
Web application security has gained more attention from enterprises as website vulnerabilities and weaknesses in online payment, ecommerce and other Web-based applications have become a favorite target of attackers.
Jerremiah Grossman, founder and CTO of WhiteHat said the move was in response to WhiteHat’s customer demands. WhiteHat customers want something effective at uncovering vulnerabilities earlier in the software development life-cycle, Grossman wrote in the company blog.
Several security vendors have built SCA products to address this need, but nothing has really worked. Nothing has been even remotely accurate or managed to meet the need of enterprise scale. We know this because Sentinel measures these outcomes after our customer have purchased these products and they’ve shared their experiences with us.
Grossman said the goal of the integration is to make static analysis “fast, accurate, and scalable.”
A lot has been written about the differences and effectiveness of static versus dynamic code analysis and the move from most application security firms is to provide the tools to customers and let them integrate what they can into their processes. Static analysis happens early on in the SDL and can find a boat load of vulnerabilities.
WhiteHat competes with Campbell, Calif.-based Cenzic Inc., which has a Web application testing suite that is offered as SaaS. The integration of static code analysis technology helps it aim at Burlington, Mass.-based Veracode Inc., which combines dynamic and static code analysis for application security audits. Klocwork Inc. also offers an automated source code analysis suite and Fortify Software Inc., now part of Hewett Packard, offers both static and dynamic analysis tools.