The NWC Interview: Brian Chess, Fortify Software

Brian Chess, Ph.D. founder and chief scientist of Fortify Software, Which sells source code analysis tools to help developers find and fix bugs that lead to security problems.

What's the main driver for a product like yours, particularly given that it's going to add costs and time to application rollouts?

Companies realize they need their software to be secure and it's not going to happen by accident. They have to put effort into it.

What causes software vulnerabilities?I would say the number one problem is developers don't necessarily know when they are doing something relevant to security. When they're coding the process that takes a file and turns it into an image on the screen, they don't necessarily think about that as security-relevant. But all the Web browsers of the last couple of years have all had image-rendering problems where you hand them a malicious image file and a buffer overflow happens.

How do you promote software security awareness among companies and their developers?

We are selling tools to help people find security problems, but if they don't want to find security problems then it doesn't matter if they have good tools. The number one thing we like to see when we talk to a customer is if they have the right attitude, and the right attitude is "It's not complete until it's secure."

I like to think of developers as being the ultimate optimizers. If you tell them security is optional, they will optimize it out of the process. The real message is "You're not done until the code is secure."

Once that message gets through, they'll optimize along those lines. It's human nature that they want to operate under the same assumptions of yesterday, last year, and a decade ago. The fact is the security landscape has changed. A lot of what developers do is security-relevant, and they have to come around to that--and if you have to put their bonuses on the line, so be it.

Who's doing interesting security research these days?OWASP [Open Web Application Security Project,] is doing really good stuff. They are best known for the Top 10 list but they do other good things like the Honeycomb Project, which classifies attacks, vulnerabilities and countermeasures.

Another is Securitymetrics.org. If you think the whole problem of trying to make something secure is hard, try the problem of measuring the result. But if you're serious about getting security right, at some point you have to make measurements.

Has a customer's code ever scared you?

I don't want to name names, but I have changed my online habits based on code that I've seen. I've got one set of passwords for sites that are secure, and a different set of passwords, credentials and ways of interacting with sites that I think are less secure. I get to look at the inner workings of some sites and it really blows my hair back.

How do you ensure that your software doesn't have flaws?We sell to a lot of security teams, and they try to break it. We found out very early on that our software was going to be attacked by our customers because they are trying to decide if we know what we're talking about. So we follow the same steps that we advise our customers to take: define our security objectives, identify where we see potential problems, and review our development process.

One company found a vulnerability in Fortify Software because they had been burned by the same vulnerability a couple of years earlier. It was a rarified attack but it was real. They taught us some really interesting ways to attack our software that we hadn't thought of yet.

• Podcast: right click to download the complete interview

• Get more NWC Podcasts