WhiteHat Security today announced the acquisition of static code analysis technology (SCA) from Infrared Security, a firm of leading software security experts who also developed a key piece of technology. You may better recognize their names as Jerry Hoff, Jim Manico and Eric Sheridan. As the press release says, “With the acquisition, WhiteHat Security gains new, complementary technology for static code analysis, to build on their market-proven dynamic vulnerability testing solution, WhiteHat Sentinel.” That’s right! WhiteHat is getting into the SCA analysis business!
As we see things, software security is about solving two extremely important, interrelated, and world-wide problems.
1) Dealing with the immense number of vulnerabilities hiding all over in the many trillions of lines of deployed code.
2) Making sure the next decade of applications being developed by some 17 million programmers is written more securely than the previous.
Finding effective solutions to both these problems is vital to breaking the cycle of software security pain. Solving the first problem, particularly for websites, has been WhiteHat’s focus since our founding. Our approach to website vulnerability assessment has proved itself uniquely fast, accurate, and scalable. Sentinel is driven by a massive infrastructure, a dynamic analysis methodology designed to hunt down the most egregious exploitable vulnerabilities, deployed SaaS-style to make it easy to achieve enterprise scale, all so our customers can prioritize those vulnerabilities and get them resolved — and they have been. Indeed over half a million verified vulnerabilities have been wiped out so far.
Moving forward, more and more of our customers, strategically minded organizations that don’t want to be the next breach victim, are concerning themselves with the second problem. As they develop their software, they want something that’s effective at uncovering vulnerabilities earlier in the software development life-cycle, BEFORE code is pushed to production where it will eventually become a real business risk. An ounce of prevention is worth a pound of cure and static code analysis (SCA) is the ideal approach.
Several security vendors have built SCA products to address this need, but nothing has really worked. Nothing has been even remotely accurate or managed to meet the need of enterprise scale. We know this because Sentinel measures these outcomes after our customer have purchased these products and they’ve shared their experiences with us.
We listened, closely, and it’s what ultimately led to today’s announcement. Now imagine a modern SCA technology combined with the scalability of the Sentinel platform. Just as WhiteHat grew to perform more website vulnerability assessments than anyone, if we do our job right, it’s only a matter of time before we’re doing the same in the source code market. It will also mean a few hundreds thousand website vulnerabilities WhiteHat Sentinel won’t find.
Going after the software security problem at the root is no small undertaking. It is ambitious, audacious, and essential. We’ll do for SCA what we did for DAST… make it fast, accurate, and scalable.