Security start-up Fortify Software claims to have developed a new security system that will inspect source code for vulnerabilities and hence make hackers lives far more difficult.

The Californian company's two new products analyse computer code for security violations and enforce secure coding practices. One inspects source code written in C++ and Java, the other probes security holes in software applications, Fortify said.

The new products give companies a way to strengthen software applications against attack by spotting and removing common vulnerabilities like buffer overflows, format string errors and unchecked input from the product code early in the development process, said Mike Armistead, Fortify VP of marketing.

The company has been quietly developing the technology for a while, but its website has nothing but a huge, fancy Flash movie at the moment. It is also unknown how much the suites will cost, and where and when they will be made available.

At the heart of Fortify's products is technology called "extended static checking" that analyses the properties of software code rather than the behaviour of the finished program, said Brian Chess, chief scientist at Fortify.

Most source code analysis products work by trying to "stimulate" finished software applications with long lists of data and produce an invalid response. Extended static checking enables Fortify's products to enumerate all the paths in computer code that can take action or "execute", quickly spot sensitive areas in the computer code, then determine the exact limits of the vulnerability, he said.

That makes Fortify's product different from those of competitors such as Sanctum and SPI Dynamics, said Theresa Lanowitz, research director at Gartner: "Fortify tackled this problem of security at the application level from a developer perspective only."

Fortify Source Code Analysis is a suite of products that includes the Fortify Developer Toolkit and Fortify Source Code Analysis Server that compare code to a list of more than 500 vulnerabilities published by software quality management company Cigital.

The Developer Toolkit is a desktop application that runs on Linux and Windows desktops and works with leading Integrated Development Environments (IDEs) to pinpoint security vulnerabilities early on, as code is being written and tested, Armistead said. "The developer gets output that looks like output from a compiler," he said. For example, the Fortify Developer Toolkit might spot the developer using a software function that is known to introduce security risks.

"Instead of a compiler error saying 'I can't parse this', developers will get a Fortify error saying that they're using a dangerous function, why not to use it and here's what could happen if you do use it," Chess said. "The idea is that just because a program compiles correctly, it's not necessarily a good program. So if the security checker doesn't like the program, you need to fix it."

The Analysis Server is another component of the Fortify Source Code Analysis product that analyses software code for vulnerabilities and security flaws during "integration builds", when the work of multiple developers is knitted together, Armistead said.

The Analysis Server can analyse input as it flows through code to spot vulnerabilities where external input is digested by software functions, enabling the product to spot vulnerabilities that might not exist in a discrete segment of code, but pop up when combined with other vulnerable components, Chess said. Fortify will also announce an application to check finished software applications before they are deployed.

Fortify Red Team Workbench is a penetration testing tool that uses both static analysis and dynamic analysis to probe security holes in running applications. The product can simulate sophisticated hacks and malicious behaviour and works with quality assurance tools such as Mercury Interactive's LoadRunner and the open source JUnit Java testing framework, Fortify said.

The idea is to make "red teams" that take the role of hackers to test application security more effective by providing them with powerful, automated tools, Armistead said.

The idea of applying security at the application development level is still nascent, but is gaining in popularity, Lanowitz said. "The industry has to make sure that development groups understand the importance of security at the application level. Vendors will help with this problem by delivering content to the developers to help them focus on security at the application and source code level," she said.