Comsec calls for efficient code checking to remove vulnerabilities, as it launches review and threat identification service
Named Codefend, it is an on-demand service that allows developers to securely send their non-compiled code to Comsec where it is analysed for security vulnerabilities and threats.
According to Comsec, the service delivers more accurate reporting and identifies vulnerabilities not routinely picked up when using a ‘tool only' approach.
Comsec Consulting UK managing director Stuart Okin, described it as a service that allows the review of code to produce a report where the client can see the vulnerabilities. Okin said: “We will read the code, look at the alerts and tell the client where to get rid of the problems, we physically look at the code line by line and the report can be viewed by fix or impact, we will make a suggestion.
“We can take an incomplete code or semi-cut code to give us an advantage. We can cut through the milestones of the security development lifecycle, but we do need to go on a jihad as people are not concerned with security and a lot of people fall into a category where they don't consider the vulnerabilities at the early stage.”
Ed Gibson, Microsoft's UK chief security advisor, said: “Our experience at Microsoft is that the security development lifecycle reduces the ‘total cost of development' by finding and eliminating vulnerabilities early. According to the American National Institute of Standards and Technology, eliminating vulnerabilities in the design stage can cost 30 times less than fixing them post release. Therefore there are strong economic drivers to support getting security right.”
Okin claimed that checking the code at the earliest stage is better, as checking at the back end causes all sorts of problems. Never doing an assessment is not acceptable and waiting until the end to check the code is less acceptable.
“While there are many sophisticated tools available today, it is no secret that automated tools have yet to be able to compensate for the human factor of intuition and experience, which remain integral factors to ensuring security on all levels. Codefend bridges this gap by combining the best of both worlds,” said Okin.