We get up early so that you don't have to. |
Fortify Application Defense, call for pricing
Fortify Software Inc.
Palo Alto, California
650) 213–5600
http://www.fortifysoftware.com/products/ad.jsp
One of the key concepts in computer security is defense in depth - the notion that you always need to have more than one layer of protection for your data, in case you're not as smart as you think you are. Fortify, who have for some time been providing high-end source-code analysis and testing applications focused on security, now add one more layer to the defense in depth security with the release of Fortify Application Defense. The new product is designed to protect applications after they've been deployed, monitoring how they're actually being used and looking for evidence of nefarious activity when you put the application out in the real world. I had a chance to talk to the Fortify folks a few days before they announced the product at this week's Demo conference and here's what they had to say.
The basic idea is pretty simple: you point Fortify Application Defense at your application, and it produces a hardened version of the application, injecting itself as an invisible monitoring layer without changing the application's behavior. Then it uses the knowledge base that Fortify has built up over a few years of doing source code audits and security testing to watch for things you'd rather not have happening: SQL injection, cross-site scripting, invalid URL probing, click fraud, HTTP response listing, attempts to list the contents of directories, and so on. Even if you've done a good job of coding, so that your application isn't vulnerable to these attacks, there's still valuable information in knowing what's being tried, and Fortify Application Defense makes it easy to see the patterns of attacks. A Web-based console lets you slice and dice the information by dimensions like type of attack and time, without the administrative overhead of trying to go through server logs and ferret out the interesting requests yourself.
Fortify Application Defense offers a flexible set of ways to respond to questionable user behavior. You can just block requests you don't like, but you can also alert administrators, issue additional challenges to be answered, or start running down an alternative execution path if you prefer. They say the typical overhead is less than 1%, which ought to be undetectable in practice. Right now, it works with J2EE applications, with a .NET version promised for the future.
Mike Gunderloy is the lead developer for Larkware and author of numerous books and articles on programming topics.
Published February 9, 2006