http://www.quocirca.com
benefit of including analysis of embedded third-party components, which sourcecode scanning would not provide. It may be advisable to seek the co-operation and permission of independent software vendors when scanning their applications. Indeed, they may well provide details of scans they themselves have commissioned. Dynamic scanning can also be carried out independently of the supplier. Here the focus is on web-enabled applications that are scanned in a test or run-time environment. It is not as thorough as static scanning, because only discovered executable roots through the code are followed. But these routes are the ones most prone to attack. Since no sources or details of binaries are required, dynamic testing can be used to test any web-enabled application, including those provided as on-demand services as well as inhouse-developed and deployed ones. The process is straightforward. Simply point the scanner at the URL for the application and let it get on with it. There seems little point in buying and installing tools to carry out such scans on-premise when you consider how easy it is to point an on-demand service at a web-enabled application. This advantage is especially true when the benefits of using an on-demand service specific to code scanning are taken in to account. Top among these benefits is the wisdom of crowds. Because code-scanning service providers are dealing with hundreds of customers, and scanning many thousands of applications on their behalf, they soon build up a picture of common problems.
When it comes to commercial code, they will often have seen it before and know what to look for and have an understanding of common flaws introduced through customisation. This familiarity allows service providers to benchmark the results of a given scan against the results they have had from other scans and indicate to a customer if its code is below or above average. This facility makes it easy to set thresholds and offer advice about the dangers of proceeding with the deployment of a given application without making modifications to the code or putting other security measures in place. Understanding software security is the core competence of the providers of ondemand scanning services. The developers of software code, whether theyre coders working for end-users organisations or ISVs, do not necessarily have this skill. Their focus should be on building the core functionality of their applications and ensuring they deliver the expected business value; the task of security testing can be outsourced. Those interested in finding out more about the benefits of the dynamic and static code scanning and the results of Quocircas latest research the report is freely available here.
This article first appeared in April 2012 on
http://www.techrepublic.com
http://www.quocirca.com
About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of realworld practitioners with first-hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption the personal and political aspects of an organisations environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to advise on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocircas mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocircas clients include Oracle, Microsoft, IBM, O2, T-Mobile, HP, Xerox, EMC, Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist firms.
Full access to all of Quocircas public output (reports, articles, presentations, blogs and videos) can be made at http://www.quocirca.com
http://www.quocirca.com