To write secure software, developers have to think like hackers and find flaws before they can be exploited by the bad guys. SmartRisk Analyzer 1.0 from @stake provides considerable security expertise for any company writing or maintaining code in C/C++. This powerful, expensive code-analysis tool has some noteworthy technology and can spot potential risks in your code base before trouble starts.
ADVERTISEMENT
SmartRisk Analyzer runs on Windows and Solaris, targeting just C/C++ code for now. The lack of support for ASP and scripting languages is a limitation, but the next release—scheduled for later this year—will support Java and C#/.NET and be available as a separate shell or integrated with Microsoft Visual Studio .NET.
At this price, a standard setup installer would also be nice; as it stands, you have to unzip the files yourself to get started.
SmartRisk offers a simple yet effective shell for defining projects that contain multiple-source code and compiled (binary) files. It then scans them for security flaws. It also does a good job at spotting dependencies, like Win32 DLLs. SmartRisk can do more if you have the source code along with the compiled version. But if you don't, you can still scan older executables through its "deep binary analysis" capability. This feature is @stake's proprietary approach to scanning source code along with the binary (or executable) version, to identify vulnerabilities introduced by interactions with other components.
@stake says SmartRisk Analyzer performs over 400 checks for errors and security loopholes, such as buffer overwrites and improper error handling. Enterprise-class development tools like IBM WebSphere Application Developer offer code coaches that give suggestions, but nothing that addresses security in as wide and deep a way as is offered here. For example, in an analysis of an open-source Web server with over 80,000 lines of code, SmartRisk spotted a handful of potential errors and made more than 100 suggestions for improved security. A graphical report summarizes warnings and errors in several categories for quick reference. You can also view annotated C/C++ source code, along with syntax highlighting, to see exactly where potential problems lurk within the file.
Though it's probably just too expensive for small to mid-size organizations, the technology in SmartRisk Analyzer marks it as a useful tool to improve security for enterprises that need to make security a priority throughout a project's life cycle and can afford to pay for it.
