London, 14 July 2009 – Comsec Consulting, a European market leader providing information security consulting services, today launches a new application security service which combines technology and expert human analysis, for Outsourced Security Code Review and Threat Identification.

CODEFENDTM is an on-demand service allowing developers to securely send their non-compiled code to Comsec, where it is analysed for security vulnerabilities and threats. Fusing the latest generation of code analysis tools, customised rules and Comsec’s proprietary methodologies, the service delivers more accurate reporting and identifies vulnerabilities not routinely picked up when using a ‘tool only’ approach.

To avoid excessive code re-write costs, or the risk of releasing solutions to the market with known vulnerabilities flagged up in routine penetration testing, enterprises have started to implement Security Development Lifecycles (SDLC), which combines threat assessments, training and code reviews throughout the code or system integration development.  As part of SDLC, many companies have purchased costly licenses of code review software, which often require excessive customisation by the code development team and commonly produce great numbers of false positives, combining to increase the burden on the developers.

With its broad technological support, logistical and financial flexibility, provided as hassle-free solution as a service, CODEFENDTM streamlines application security testing and code review processes, delivering the following benefits:
Potential to reduce code re-write costs by as much as 50%
More cost efficient than purchasing in-house tools with quicker response and results
Developers can dynamically publish their code for review, with the service optimised for C#, VB.Net, C, PHP, Java, Javascript, and C++
Able to find common vulnerabilities, such as those identified in  the OWASP (Open Web Application Security Project) Top Ten and CWE/SANS Institute (Common Weakness Enumeration & SysAdmin, Audit, Network, Security) Top 25
Able to find complex vulnerabilities, such as Stored XSS, Authorization and Authentication Bypass, Race Conditions, Injections (XML, LDAP, SQL, Malicious Code) and Filter Evasions
Business Logic Flaws can be detected by the CODEFENDTM analysis team
False positives are eliminated by the CODEFENDTM analysis team

Stuart Okin, Managing Director, Comsec Consulting UK says, “The current financial climate means that enterprises need to consolidate application security expenditure by reducing outlay of costly code review licenses, while at the same time improving the security efficiency of the development and testing teams.”

Microsoft’s UK Chief Security Advisor, Ed Gibson, agrees.  “Our experience at Microsoft is that the Security Development Lifecycle reduces the ‘total cost of development’ by finding and eliminating vulnerabilities early. According to the American National Institute of Standards and Technology (NIST), eliminating vulnerabilities in the design stage can cost 30 times less than fixing them post release.  Therefore there are strong economic drivers to support getting security right”

Migrating to this new service does not mean completely abandoning previous investment in security code review, as “CODEFENDTM affords the opportunity of capitalising on previous investments in bespoke scripting, and knowledge gathered about systems and applications to provide greater return on investment in the long run, and more efficiency over time.

Roy Harari, VP Business Development, Comsec Consulting, believes that this new approach also offers broader opportunity for all businesses to more comprehensively access security code review solutions.  He explains, “It has long since been proven that security code review is the optimal solution for detecting software vulnerabilities, especially while still in the development phases.  Until now, cost-efficiency considerations and delivery pressures did not allow for proper, comprehensive security code review to be applied across all industries and development organisations, and was often limited to the large software houses.  Now, with multiple compliance standards, such as the Payment Card Industry’s Data Security Standards (PCI:DSS), there is a real demand for security services across all areas of development, including at source code level.”

Mr. Okin continued, “While there are many sophisticated tools available today, it is no secret that automated tools have yet to be able to compensate for the human factor of intuition and experience, which remain integral factors to ensuring security on all levels.  CODEFENDTM bridges this gap by combining the best of both worlds.”