If you were one of the many thousands of people who placed a bet on this year’s Grand National, the chances are that the security of that transaction was being monitored by application security software developed by Fortify, a little-known firm based in San Mateo, California.

Fortify produces tools used by other software devlopers to constantly monitor security throughout a product’s lifecycle ­ a process known as business software assurance (BSA). “We’re in the business of helping enterprises to progress from developing high-quality, high-performance software to developing high-quality, high-performance software with built-in high security,” said Fortify chief executive John Jack.

The latest version of Fortify’s BSA package is Fortify 360 (F360), a software suite launched in March that is designed to analyse code development throughout the software lifecycle, including the planning, coding, testing, deployment and maintenance phases.

Fortify’s system is a natural evolution in software security, according to Jack. “Just as firms deploy anti-virus systems throughout their business to secure their employee’s systems, firms are looking for a partner to secure their business-to-business and business-to-consumer applications,” he said.

The tool works primarily by checking code at the software compilation and build stage. “Our package finds defects in software code, demonstrates why a defect is an issue and sets out what to do to fix it,” said Jack. “The package works when you’re developing code and also when that code has been signed off, deployed and is running in your datacentre ­ it’s constantly checking for online attacks.”

The company has a dedicated team of researchers checking for software vulnerabilities, and once a quarter their findings are used to update Fortify’s BSA package to ensure its accuracy when auditing code.

A roll call of Fortify’s customers includes many of the world’s largest banks, independent software vendors and industry giants such as Oracle. One area that has proved particularly lucrative for the company in recent years is online gambling, where customers include www.bwin.com and www.betfair.com. “Bwin has adopted our F360 system to secure its online betting site. It is facing attacks from organised crime syndicates, especially from eastern European countries not yet part of the EU,” Jack said.

He explained that the problem these online gambling sites had was that “it was very difficult to tell whether the person who’d just won £1m through that site did so on behalf of hackers who supplied them with information allowing them to beat the odds”.

Another problem highlighted by Jack is that developers often fail to differentiate between everyday software bugs and those that give rise to security issues. “The difference is that if customers find a bug in software, then they’ll phone up and talk to you about it; if a hacker finds a bug, he won’t phone you up,” Jack said.

Ideally, developers should focus on areas where security flaws might cause a major problem, he said. “With security, you can’t fix every issue, so you have to make business risk decisions. For example, an internal human resource tracking application that doesn’t face the web will not be as highly exposed as software dealing with online betting,” Jack added.

Another software security issue that has come to prominence in the past few years is the problem of compliance ­ making sure that software is certified as fit for purpose. Jack said there are two key areas to consider when it comes to meeting compliance mandates around software security. “The first is demonstrating that the application has been coded securely in the first place, by providing the reports and audit trails required by the regulation or statute,” he said.

The second area is the need to assure protection of these applications when they are in a live production setting. “Our Real Time Analysis system sits inside the application itself, providing thorough protection as well as the detailed attack forensics that are needed, not only for reporting purposes, but to give developers the information they need to address the underlying problem,” he said.