To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39169197,00.htm

Betfair fortifies its software code
Case study: How to free up developers' time and squash the bugs

By Gemma Simpson

Published: Tuesday 20 November 2007

Betfair has rolled out a source code analysis tool to free up its developers' time and keep bugs at bay.

Betfair introduced the Fortify Source Code Analysis (SCA) tool at the beginning of the year to identify, manage and fix any software security flaws.

The online betting exchange expects to see a return on investment on the SCA product within the space of three years.

Security A to Z

From antivirus to zero-day, click here for silicon.com's alphabetical guide to security.

Betfair uses the tool to run nightly scans on its code and the output of those scans goes to a central reporting server (CRS).

The CRS then flags up any serious issues uncovered by the tool and also tracks trends, such as the number of potential lower-level security issues.

Matt Young, engineering partner development director at Betfair, told silicon.com: "A spike in the number of low-level potential issues found by the SCA tool usually means either that a lot of code has been checked in at once or that someone has checked in code without getting it reviewed first. It can be a good early-warning sign."

Young said the SCA tool also covers some of the review and analysis work when scanning through reams of code - in particular automating the more labour-intensive parts of manual code review - leaving developers more time to look at broader design issues.

Once a bug is found within the code, the tool also provides Betfair with custom rules to identify the bug which has been found.

The custom rules can then be used to search the rest of the code base for other existing and similar instances of the problem and to run a nightly source code regression checks to prevent any new instances of the same bug entering the code base.