Fortify Software has come up with a way for companies interested in moving their applications to a cloud provider can analyse it line by line for security-worthiness in the new environment.
The Readiness Scorecard is effectively a free add-on for the company’s software assurance products, Fortify 360, and the online Fortify on Demand assurance service, able to give companies a vulnerability rating for software as if it was running in a cloud environment.
Aren’t code vulnerabilities the same whether they are in the cloud or inside a corporate network?
According to Fortify chief scientist and founder, Brian Chess, the cloud questions coding assumptions that would have been reasonable when an application was originally written. Applications can communicate with one another using insecure protocols, while assumed infrastructure such as DNS servers will in the cloud model be shared and beyond the oversight of the IT department.
In short, software has to assume less trust and the vulnerability of data must be pinpointed precisely. “When you move to the cloud, your risk profile changes,” said Chess.
The point of the Readiness Scorecard is to give in-house teams a list of both minor and major fixes needed before a given application can be run in the cloud in a way that minimises such risk, he said.
“Like immunising themselves against infection, cloud providers can use Fortify 360 or Fortify on Demand to ensure that bad code introduced by one or more customers doesn’t contaminate their cloud offering,” said Chess.
Current Fortify customers would get access to the Scorecard free of cost from later this quarter while new users would have the feature bundled with subscriptions.
Fortify has repeatedly warned of the security issues that lie unanswered in cloud computing, having previously done a probably justified hatchet job on worries around outsourced coding.