JOLT Winner
Fortify Defender: Real-Time Analyzer (Fortify Software)
Patrick White
Reviewed by Mike Riley
Fortify Defender's latest improvements have kept it at the forefront of application development security via the way it armors web applications. The Internet is a scary place for unprotected web applications, with botnets and malicious hackers poised to strike any code weaknesses. Defender's multiple OS-supported Application Shield helps developers identify and lock down code that can be used to exploit SQL injections, buffer overflows, cross-site scripting and session fixation among other things that can wreak havoc and potentially destroy businesses. Fortify's monitor and protect modes supply all the forensics information necessary to identify threats in real time.
Crowd (Atlassian)
Reviewed by Hugh Bawtree
Crowd is a promising new Single Sign On product. Instead of signing onto multiple applications, it enables users to sign on just once to Crowd and then execute all their applications--internal apps, custom apps and web forums. Crowd automatically logs the user into each app. Obviously, this simplifies the user's life and centralizes the administration work for sys admins. Crowd also makes life easier for developers. It already has built-in interfaces to many directory services: Microsoft Active Directory, Open LDAP, Sun One and Apache Directory Service. And it has interfaces to some applications: Atlassian applications, Apache, Subversion, Jive forums and OpenID (used by thousands of web sites). Developers can develop their own interfaces for other apps using a Java API or a SOAP API. Finally, developers get a copy of the Crowd source code when they purchase a Crowd license.
Defensics (Codenomicon)
Reviewed by Mike Riley
Codenomicon's Defensics offers security-conscious developers a set of web application analysis tools that help detect code vulnerabilities via its ability to scan over 130 different interfaces and formats, from standard web traffic to wireless and digital media (images, audio, etc.) security threats. Defensics comes bundled with numerous pre-built test cases, saving developers time as well as ensuring that some of the most sophisticated attack vector attempts will be tested in a variety of scenarios. Test results are linked to the problem source for rapid identification and remediation and can be employed for continuous testing throughout the application's lifecycle.
Ounce (Ounce Labs)
Reviewed by Rick Wayne
The crackers only have to be lucky once; defenders must strengthen the whole system. Case in point: the Ounce source-code vulnerability scanner. Ounce includes tools not just for dedicated security analysts, but for line developers and managers, too. Ounce's scanning technology is fast, the UI organizes reams of information into usable form, and Ounce appears blessedly free of the false-positive blizzard. The analyst's application scans, sets policies, and can prioritize results, while the Eclipse and Visual Studio plug-ins for developers let them scan code and confirm fixes. Also, the Portfolio Manager reports statistical and trend information, letting the whole team know how the battle is going.
