Comsec launches code checking service

Secure code is vital to get right from the start

Security firm Comsec Consulting today launched a new on-demand code review service designed to improve the security of developers' code.

Codefend allows developers to send non-compiled code to Comsec, where it is analysed for security vulnerabilities and threats by automated code analysis tools as well as human experts.

The service could reduce code rewrite costs by as much as half, according to the firm, and, being an outsourced service, is more cost efficient than purchasing in-house tools.

Codefend is able to find common vulnerabilities as detailed by the Open Web Application Security Project Top 10 and the Sans Top 25, as well as more complex vulnerabilities such as filter evasions, injections and race conditions.

The human analysis, meanwhile, can remove false positives and detect business logic flaws, according to the firm.

Stuart Okin, UK managing director at Comsec, argued that commercial pressures to release software as soon as possible often mean that security is overlooked in the development process.

"In the security profession we have been saying this for years," he said. " Don't get me wrong: firewalls and anti-virus are important but, if you have a code vulnerability such as a filter evasion, cross site scripting or whatever, malware will get straight through the firewalls as if they don't exist."

Ed Gibson, chief security advisor at Microsoft UK, agreed that firms could save significant sums of money by detecting flaws in code early on. He quoted figures from the American National Institute of Standards and Technology suggesting that eliminating flaws in the design stage can cost 30 times less than fixing them after release.

Gibson added that, because the service is outsourced, it may attract smaller firms that do not have the in-house expertise to undertake such checks.

"These capabilities will take away any reason not to have your code checked because you don't need someone in-house full time," he said.

"[Code review] has become more important given the continuing and more targeted attacks by miscreants, organised crime and state sponsored."