Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

On demand security code verification service

Comsec Consulting Global : 15 July, 2009  (New Product)
Codefend from Comsec Consulting is an on demand code verification and threat identification service to be used as part of security development lifecycles
Comsec Consulting has launched a new application security service which combines technology and expert human analysis, for Outsourced Security Code Review and Threat Identification.

Codefend is an on-demand service allowing developers to securely send their non-compiled code to Comsec, where it is analysed for security vulnerabilities and threats. Fusing the latest generation of code analysis tools, customised rules and Comsec's proprietary methodologies, the service delivers more accurate reporting and identifies vulnerabilities not routinely picked up when using a 'tool only' approach.

To avoid excessive code re-write costs, or the risk of releasing solutions to the market with known vulnerabilities flagged up in routine penetration testing, enterprises have started to implement Security Development Lifecycles (SDLC), which combines threat assessments, training and code reviews throughout the code or system integration development. As part of SDLC, many companies have purchased costly licenses of code review software, which often require excessive customisation by the code development team and commonly produce great numbers of false positives, combining to increase the burden on the developers.

With its broad technological support, logistical and financial flexibility, provided as hassle-free solution as a service, Codefend streamlines application security testing and code review processes, delivering the following benefits:

* Potential to reduce code re-write costs by as much as 50%
* More cost efficient than purchasing in-house tools with quicker response and results
* Developers can dynamically publish their code for review, with the service optimised for C#, VB.Net, C, PHP, Java, Javascript, and C++
* Able to find common vulnerabilities, such as those identified in the OWASP (Open Web Application Security Project) Top Ten and CWE/SANS Institute (Common Weakness Enumeration & SysAdmin, Audit, Network, Security) Top 25
* Able to find complex vulnerabilities, such as Stored XSS, Authorization and Authentication Bypass, Race Conditions, Injections (XML, LDAP, SQL, Malicious Code) and Filter Evasions
* Business Logic Flaws can be detected by the Codefend analysis team
* False positives are eliminated by the Codefend analysis team

Stuart Okin, Managing Director, Comsec Consulting UK says, "The current financial climate means that enterprises need to consolidate application security expenditure by reducing outlay of costly code review licenses, while at the same time improving the security efficiency of the development and testing teams."

Microsoft's UK Chief Security Advisor, Ed Gibson, agrees. "Our experience at Microsoft is that the Security Development Lifecycle reduces the 'total cost of development' by finding and eliminating vulnerabilities early. According to the American National Institute of Standards and Technology (NIST), eliminating vulnerabilities in the design stage can cost 30 times less than fixing them post release. Therefore there are strong economic drivers to support getting security right"

Migrating to this new service does not mean completely abandoning previous investment in security code review, as "Codefend affords the opportunity of capitalising on previous investments in bespoke scripting, and knowledge gathered about systems and applications to provide greater return on investment in the long run, and more efficiency over time.

Roy Harari, VP Business Development, Comsec Consulting, believes that this new approach also offers broader opportunity for all businesses to more comprehensively access security code review solutions. He explains, "It has long since been proven that security code review is the optimal solution for detecting software vulnerabilities, especially while still in the development phases. Until now, cost-efficiency considerations and delivery pressures did not allow for proper, comprehensive security code review to be applied across all industries and development organisations, and was often limited to the large software houses. Now, with multiple compliance standards, such as the Payment Card Industry's Data Security Standards (PCI:DSS), there is a real demand for security services across all areas of development, including at source code level."

Mr Okin continued, "While there are many sophisticated tools available today, it is no secret that automated tools have yet to be able to compensate for the human factor of intuition and experience, which remain integral factors to ensuring security on all levels. Codefend bridges this gap by combining the best of both worlds."
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo