"We’ve decided to push back," says Ferderer’s partner, Tim Burke, IS manager at CUNA Mutual. "Any new software we’re developing or having developed must go through an error-free scan before it’s deployed." Second, integrate the application scanners into the development process by training your developers and mandating that outside developers scan their work at predictable intervals. (This was made easier for .Net developers last February when Microsoft integrated the application scanner from Sanctum into Visual Studio .Net.)

Expect developers to freak out about that. "The first time we had one of our developers run the scan on some sample code he wrote, his eyes bugged out," says Erick Weber, vice president of enterprise information security at IndyMac Bank, which holds $9.6 billion in assets and last year earned $600 million. "He thought he wrote pretty good code, but he had created significant security holes.

"But it made him want to learn how to integrate the scanning into his development. That’s what we want. The last thing we want is to have developers continue coding the same way, run scans on their work, and then throw the code back at them and say, Hey, fix this."

...But Know Scanning’s Limitations

It would be folly to deploy app scanning and think the security problem is therefore licked. Know the limitations of these tools.

First, they don’t know what they don’t know. That is, they scan for known vulnerabilities, the most common ones. The tools will have to evolve as vulnerabilities evolve.

Second, the tools don’t know whether a flaw is dire or benign.

Third, some of these scanning apps just tell you where the holes in the roof are, some others put buckets under the holes, and still others even suggest how to patch the roof. But none of them actually fix anything.

"My concern is people buy them and think that alone fixes the problem," says Bill Guttman, director of the Sustainable Computing Consortium?a collaborative designed to protect the nation’s computing infrastructure and improve the reliability of its IT systems. "It happened with antivirus [software]. Firewalls. People develop a false sense of security."

The next generation of application scanners should address some of those issues. Plan for an ongoing investment in application scanning. A divisional IS officer at one of the nation’s largest banks (who asked not to be named) says his company will spend $30,000 to $40,000 per quarter scanning and auditing a major application.

IndyMac’s Weber has no trouble justifying the cost. As an ancillary benefit, he uses the tools to convince both developers and his executive peers of the value of security. He says security is like pollution; no one cares until they can see it. "I can rattle off really great reasons we need application security to users and management," says Weber. "But they never really understand until they see, you know, eight buffer overflows, right there on their screen."