DULLES, Va. and SAN MATEO, Calif., Sept. 17 /PRNewswire/ -- Cigital, Inc., the leading software security consulting firm and Fortify Software, the market leader in enterprise application security solutions for Business Software Assurance, today announced the release of the Cigital Java Security Rulepack 1.0, a set of Java static analysis rules for the Fortify Source Code Analyzer.
DULLES, Va. and SAN MATEO, Calif., Sept. 17 /PRNewswire/ — Cigital, Inc., the leading software security consulting firm and Fortify Software, the market leader in enterprise application security solutions for Business Software Assurance, today announced the release of the Cigital Java Security Rulepack 1.0, a set of Java static analysis rules for the Fortify Source Code Analyzer.
Cigital Java Security Rulepack 1.0 builds upon Fortify Software's current set of rules and enhances the Fortify analysis by checking for additional security vulnerabilities. Based on the "Seven Pernicious Kingdoms" security vulnerability taxonomy developed jointly by Cigital and Fortify, the rulepack enforces the secure implementation of APIs and frameworks including J2EE, Struts, and Java Cryptography. The Cigital Java Security Rulepack is licensed and distributed as open source and is available to the security community for distribution, modification and use.
"Evidence suggests that the payoff for eliminating flaws early on in the life cycle is high," states Dr. Chenxi Wang, Principal Analyst, Forrester Research. "Fortify is a leading vendor of static analysis tools." Wang says, "The longer a flaw is allowed to exist within a piece of code, the more costly it is to repair … Static analysis can identify and eradicate flaws significantly before deployment, which usually results in less costly remediation."
Fortify's internal Security Research Group is the primary driver for building capabilities in Fortify analyzers to detect new vulnerabilities across a range of languages and APIs, with a current base of more than 315 vulnerability categories across 17 languages and in excess of 500K APIs. The Cigital Java Security Rulepack increases these numbers by adding more than 70 vulnerability categories, allowing users to check for even more security and quality implementation issues. Because the rules are released as open source, users have the ability to view and modify the implementation of the rules to fit their needs. Cigital experience shows that customized, tailored rule sets can significantly reduce the number of false positives and increase the uptake of static analysis in an organization.
The Cigital rules add a number of important security checks, including: — J2EE misconfiguration checks — Struts misconfiguration checks — Cryptographic usage checks — Credential protection checks — Code quality checks
"Static analysis for security has come a long way in the ten years since Cigital introduced ITS4 to the world," says Dr. Gary McGraw, CTO of Cigital and Chair of Fortify's Technical Advisory Board. "Cigital is proud to continue to push the limits in the real-world use of cutting-edge tools for software security." Dr. McGraw's early work in software security focused on Java, and included co-authoring the best seller Java Security with Ed Felten from Princeton University.
"We're excited to see outside experts, such as Cigital, writing custom rules to further enhance and refine the level of analysis of Fortify's products," says Brian Chess, Co-Founder and Chief Scientist at Fortify, "This trend started with the Computer Emergency Response Team (CERT) earlier in 2008 and now takes a great stride forward with the addition of the Cigital Java Security Rulepack."
To view the Cigital Java Security Rule pack, please visit http://www.cigital.com/securitypack/. Fortify customers can download this update via the Premium Content section of the Fortify Customer Portal.
Established in 1992, Cigital, a leading software security and quality consulting firm, has enabled some of the most well-known organizations in financial services, communications, insurance, hospitality, e-commerce and government to reduce their mission-critical software business risks. Cigital consultants specialize in software security to help organizations protect some of their most valuable assets: company and mission information, customer and individual data, shareholder value and brand. Each client's unique requirements are served through a combination of proven methodologies, tools and best practices. Cigital also specializes in software quality, assuring the reliable delivery and deployment of software that organizations build, buy and integrate. Cigital (http://www.cigital.com) is headquartered near Washington, D.C. with offices in Boston, New York, Los Angeles and Delhi, India.
About Fortify Software, Inc.
Fortify(R)'s Business Software Assurance products and services protect companies from the threats posed by security flaws in business-critical software applications. Its software security suite-Fortify 360-drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e-commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world-class teams of software security experts and partners. More information is available at http://www.fortify.com.
SOURCE Cigital, Inc.