Fortify, CERT/CC Collaborating to Reduce Exploitable Vulnerabilities in C, C++ Languages

In the first alliance of its kind, application security leader will work with respected research group to develop automated rules that eliminate dangerous coding practices.

PALO ALTO, Calif., October 2, 2007 - Fortify® Software, the market leader in enterprise application security solutions, the Carnegie Mellon® Software Engineering Institute (SEI) CERT® Coordination Center (CERT/CC) and JPCERT/CC today announced they are collaborating to automate compliance checking for the CERT C and C++ Secure Coding Standard using Fortify® Source Code Analysis so that software developers can eliminate vulnerabilities before applications are deployed.

“Although establishing secure coding guidelines is a prerequisite to improving secure coding practices in both government and industry, these guidelines can be lengthy and complex, making it difficult for developers to learn and apply,” said Robert Seacord, a senior vulnerability analyst at CERT who is leading its secure coding initiative. “Extending Fortify to validate source code for compliance simplifies the process of adopting the CERT Secure Coding standards and lets developers focus on eliminating software vulnerabilities that cannot be easily detected by automated means.”

This multi–organization collaboration effort is designed to ascertain how practical and effective automated rules will be used in real–world developments. It will take place in three stages. First, CERT/CC will develop rules for these tools through Fortify SCA that can be used to check for non–compliance with the CERT C and C++ Secure Coding guidelines. Then, at the beginning of the new year, Fortify and CERT/CC expect to make a Fortify Rulepack publicly available which will be provided to JPCERT/CC. JPCERT/CC, working in collaboration with Software Research Associates of Japan, will run Fortify SCA with the enhanced rule set on several projects currently under development. As the third step in this process, CERT/CC and JPCERT/CC will publish an SEI technical report describing the results of the study in Spring 2008.

“Static analysis tools continue to evolve, have become increasingly more capable, and add huge value to an organization’s security in terms of finding and removing exploitable vulnerabilities,” said Brian Chess, Fortify’s founder and chief scientist. “There’s considerable benefit to the software development community in supporting CERT’s secure coding guidelines, and we’re thrilled that Fortify SCA has the opportunity to be the first solution to be integrated with this initiative.”

“Between 1995 and 2006, the data CERT/CC collected and analyzed from numerous sources shows that the number of reported software vulnerabilities increased an average of 52 percent per year,” said Art Manion, the Vulnerability Analysis team lead at CERT/CC. “Fixing software vulnerabilities in deployed systems is critical to operational security, however this approach is unlikely to substantially reduce the overall number of software vulnerabilities. Since the major cause of software vulnerabilities is code defects, it makes sense to address the problem close to the source, using secure coding practices.”

About Fortify Source Code Analysis

Fortify® SCA analyzes source code to help find and fix software vulnerabilities at the root cause, early in the development cycle, making triage, audits and remediation fast and effective for any organization. Its advanced features help developers identify and resolve issues with less effort, while enabling security leads to review and prioritize more code in less time. Fortify SCA supports a wide variety of languages, frameworks and operating systems, and delivers depth and accuracy in its results. For more information, please visit Fortify’s website at http://www.fortifysoftware.com/products/sca/.

About Fortify Software, Inc.

Fortify® Software products protect companies from the threats posed by security flaws in business–critical software applications. Its software security products–Fortify SCA, Fortify Defender, Fortify Tracer and Fortify Manager–drive down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software’s customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e–commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world–class teams of software security experts and partners. More information is available at www.fortifysoftware.com.

About the CERT Secure Coding Standards

The CERT Secure Coding Standards currently provide rules and recommendations for secure coding in C and C++. These standards are being developed through a broad–based community effort, including the CERT Secure Coding Initiative and members of the software development and software security communities. For more information on the secure coding initiative, please visit www.cert.org/secure-coding.

About CERT/CC

The CERT® Program is part of the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh. CERT/CC develops and promotes the use of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage, and to ensure continuity of critical services. More information is available at http://www.cert.org/.

About JPCERT/CC

JPCERT/CC is an independent non–profit organization, acting as a national point of contact in Japan. Since its establishment in 1992, the center has been gathering computer incident and vulnerability information, issuing security alerts and advisories, and providing incident responses as well as education and training to raise awareness of security issues.

About Software Research Associates, Inc.

Founded in 1967, SRA is one of Japan’s oldest and largest independent software houses. In order to meet the challenges of responding to wide–ranging customer demands, SRA blends cutting–edge technology and new paradigms with a wealth of operations know–how and expertise acquired through years of experience. “Client–optimized” solutions are designed to satisfy the full spectrum of customer needs, from consulting to systems development and administration. SRA maintains a strong presence in the software product market, distributing and supporting many communications, database and Internet/World Wide Web applications. SRA has branches in major cities throughout Japan, as well as offices in New York, California, Amsterdam, Bangalore and Singapore.

Press Contacts - Fortify

Fortify North America: Lisa Eskey, Sterling Communications, 1-408-884-5157, leskey@sterlingpr.com
Fortify UK: Laura Mead, Johnson King Public Relations, +44 (0) 20 7357 7799, lauram@johnsonking.co.uk
Fortify Austria, Germany and Switzerland: Ingrid Daschner, Johnson King Public Relations, +49 (0) 894085-11, ingridd@johnsonking.de
CERT/CC: Kelly Kimberland, 412-268-4793, public-relations@sei.cmu.edu
JPCERT/CC: Yoko Kohda, pr@jpcert.or.jp
SRA: fortify@sra.co.jp