Thousands of researchers and product developers are looking for silver bullets that will secure enterprises from malicious cyberattacks. Most security specialists agree that finding a cure for security ills is like trying to find a cure for the common cold. No single remedy today can make you immune from the sickness, but a smart mixture of potions can increase your chances of avoiding the sniffles or efficiently eradicating the infection.

Security experts are devising multi-layered approaches for dealing with potential cyberattacks. A combination of firewalls, intrusion detection systems, deep packet inspection, access controls, antivirus software and rigorous patching practices can reduce a cyberattack's chances of success.

"As an industry, we need to make the builders of software the front lines, but today they are detached from how applications will work in the field," Thornton said.

Fortify's approach relies on static analysis of code to identify vulnerabilities. "Static analysis looks at the code and makes a determination solely based on looking at the text of a program," according to Brian Chess, Fortify's chief scientist. "A compiler, for example, looks at code and transforms into an executable. We share plenty of DNA with compilers and apply it to find security vulnerabilities, but rather than optimize [an application] to run faster, we look to see if the code can be exploited in some fashion by attackers."

Finding security vulnerabilities requires a more flexible system than a language compiler, given that the rules change as developers build new libraries and the attackers find new ways to exploit systems. Fortify's source code analysis software applies a set of hundreds of rules to identify vulnerabilities in C, C++, Java, JSP and PLSQL.

The rules are sourced through the security establishment and research community, as well by an internal team at Fortify. In addition, Fortify licenses rules developed by the software quality management firm Cigital.

Chess maintains that many of the attack patterns are relatively easy to pinpoint. "Static analysis can find vulnerabilities statically because developers repeat mistakes over and over," Chess said. "It turns out that developers are not only creatures of habit--so are attackers."

The products in the Fortify source code analysis suite include a Developer Toolkit, a Source Code Analysis Server and a Software Security Manager, which centralizes reporting, policy management and risk assessment.

The Developer Toolkit works with Eclipse-based or Microsoft Visual Studio integrated development environments (IDEs). The Analysis Server scans the code to pinpoint exploitable vulnerabilities, looking for patterns in data and control flows that match the most current database of vulnerabilities for the particular language or operating system.

Fortify complements its static analysis tools with a dynamic, run-time analysis testing suite that simulates attacks on code before deployment. Red Team Workbench penetration testing launches attacks and malicious data gleaned from studying both white hat and black hat programming exploits, Thornton said.

The company is also developing a real-time monitoring application that can detect attacks and automatically respond to defend the compromised code. "You want the flexibility to respond to attackers without disrupting the features provided for users," Chess explained. "We are putting firewalls in applications at the function-call level, so you can look at individual values inside applications as they are working, and make a determination as to whether the behavior is expected or unexpected. If it's unexpected, we can either shift data off the machine to do analysis or put the sensor in an alert mode and wait to hear back from analysis server, or have sensors re-route the application to an exception handling function."

Chess maintains that monitoring at the application level, rather than just the network, provides more context about what a packet means to an application. "Suppose your application has been running for several months and is now making a database request for a stack trace that has never been seen before. It's a path that has never been executed before, and asks to delete a table from the database. The wire may see the request, but it wouldn't know the path and the context under which the request was made."

Fortify is aiming its product suites at larger enterprises with multi-language code bases that have incurred or are at risk for suffering substantial financial loses from security breaches. The Developer Toolkit is $3,500 per user and the Source Code Analysis Server is $50,000 per CPU. The Red Team Workbench is $25,000 per concurrent user. Subscriptions to the rule-updating service are $5,000 per server. Current customers include PayPal, AT&T Wireless and New Vine Logistics.

While Fortify's tools and those from other vendors are improving cybersecurity, the attack surface is increasing in terms of reported vulnerabilities, non-secure code in use and the number of networked devices. "The trick will be keeping parity or getting ahead of the bad guys," said Thornton. Some things never change.

You can write to me at dan.farber@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.