Start-Up's New Tools Scan Software to Detect Flaws
While Code Is Being Written

Computer experts last week urged the industry to make security a built-in feature of software. Silicon Valley's best-known venture-capital firm is backing a start-up to help programmers do just that.

Fortify Software Inc. on Tuesday unveiled a set of tools to help examine and test software code for security flaws while programs are being developed. The closely held company was funded by Kleiner Perkins Caufield & Byers, and is based in the firm's offices in Menlo Park, Calif.

The venture is a response to the rising number of computer attacks, which are overwhelming the defenses deployed by companies and government agencies. Such safeguards, including intrusion-detection devices and programs known as firewalls, are designed to keep intruders out of sensitive networks.

But some hackers, and the viruses and other malicious code they write, inevitably get through. A high-profile report to the Bush administration last week concluded that the root cause of the problem is programming bugs that leave openings for attackers. The 250-page report, solicited by the Department of Homeland Security, recommends new practices to design and develop programs with fewer defects.

Similar conclusions had been reached about two years before by Ted Schlein, a managing partner at Kleiner Perkins who was an early executive at Symantec Corp., a big maker of antivirus software. He recruited four executives to start Fortify, and serves as its chairman.

The team consulted with software experts, including Gary McGraw, an author of three books on computer security who has been evangelizing for better programming practices. He is also chief technology officer at Cigital Inc., a Dulles, Va. consulting firm that has developed its own tools for scanning software for defects.

Fortify's software is based on the fact that most security problems stem from known programming mistakes as companies race to finish products that may be composed of thousands or millions of lines of code. A programmer, for example, might neglect to see that a piece of prewritten code allows a user to insert any amount of text into the address field in a Web browser, said Mike Armistead, a Fortify vice president.

An attacker might later insert millions of characters into that field. That well-known attack, called a buffer overflow, can cause a program to crash and give an attacker control over the computer running it, Mr. Armistead said.

Fortify's software, designed to be run at the end of each day's programming, analyzes code to find more than 500 such problems. It explains the problems and suggests solutions, but programmers must manually make the changes, Mr. Armistead said.

One early tester is eBay Inc.'s PayPal unit, an online-payment service. "The thing I'm attracted to is being able to find problems as they are being introduced into the application, instead of later" during a security audit, said Chuck Geiger, PayPal's chief technical officer.

Mr. McGraw said other start-ups are racing to produce similar tools, but Cigital decided to collaborate with Fortify. He noted that such tools are good at catching bugs but aren't a substitute for human analysis in finding fundamental design problems.

One influential programmer, Sun Microsystems Inc. co-founder Bill Joy, said he was impressed enough to invest in Fortify.

"We clearly need new tools and methods," said Mr. Joy, who helped popularize the Sun programming technology called Java before resigning from the company last year. "I'm encouraged that people are trying to do this."