News

College-based program targets security holes at the source

The road to a professional career usually begins in college; now, a software vendor believes that same route can make for more secure software.

Ounce Labs, Inc., based in Waltham, Mass., has committed more than $500,000 in research grants and software to launch a program – The Ounce Labs Secure Foundation Initiative – that will help promote best practices in secure coding at three universities: George Washington University, The Center for Education and Research in Information Assurance (CERIAS) at Purdue University, and HACNet Lab at Southern Methodist University. Chris McClean, public relations manager at Ounce Labs, said the vendor may commit more if other universities show interest.

“Development of reliable, secure software has historically been presented as a separate subject, but we now recognize it as a primary skill that should be taught throughout computer science and engineering curricula,” said Eugene Spafford, CERIAS’ executive director, in a statement distributed by Ounce Labs.

Part of Ounce Labs’ commitment will include some of its source code vulnerability analysis software, Prexis, which will let students compare security levels of applications over time and against other applications. The product automatically scans source code to analyze an application’s overall security and pinpoint vulnerabilities that need to be fixed.

Information security is a primary concern within corporate IT, especially in light of oft-cited increases in cyberattacks. For instance, a poll of 85 chief security officers who attended the second CSO Interchange conference in New York City earlier this month found that 58 percent rated worms, viruses, Trojan horses and regulatory compliance as their chief security concerns, according to a statement from Qualys, Inc., an information security vendor that sponsored the event. Also, 62 percent believe they don’t get sufficient early warning on major cyberattacks, and 80 percent reported that cyberattacks had a bottom-line financial impact their organizations.

“Well constructed software is the core of information security,” Ounce Labs CEO Jack Danahy said. “The industry as a whole must make proper coding techniques a top priority throughout development.”

“Software assurance requires a method by which security attributes are measured, analyzed, and managed throughout the development lifecycle,” Julie Ryan, lead professor of information security management at George Washington University, said in the Ounce Labs statement. The company’s initiative, she added, “will be a critical element in our effort to train future security managers to address flaws at their source.”