HP says it now has a free service called "Fortify My App" that lets anyone building mobile or Web applications upload code to the Fortify software-as-a-service and get a limited analysis about whether the code has specific vulnerabilities or design flaws.
The free service is still considered to be in beta, according to Mike Armistad, vice president and general manager of enterprise security products at Fortify, a division of HP. But the idea is that anyone can visit the "Fortify My App" site to receive a free report within 24 hours about their client/server Web application or mobile app, whether it be for iPhone, Google Android, Windows Mobile, or BlackBerry.
The service focuses on a limited number of specific vulnerabilities, such as cross-site scripting, Armistad says. It's a way to introduce potential customers to the paid software-as-a-service "Fortify On Demand", which comprehensively checks code for vulnerabilities.
Armistad says mobile apps can have the same kind of vulnerabilities that other applications do. But what is frequently seen in mobile apps are security deficiencies such as "they're storing credentials in memory" or "passing credentials in cleartext," he pointed out. Another problem in mobile apps is they have "information-leaking vulnerabilities" in which data is exposed when it shouldn't be.
The free service FortifyMyApp is available here.