News
Targeting security issues during development
- By Jason Turcotte
- June 7, 2006
A recent Gartner report suggests using source code scanning tools to integrate
security best practices is the most effective way to solve software vulnerabilities.
And integrating during the software dev process often reduces support costs.
As cyberattacks continue to penetrate the app layer, businesses are acknowledging
the need to implement software security assurance. And, according to Ounce Labs,
just-released version 4.0 is a direct response to requests from customers using
earlier versions of its software.
Just ask Brent Huston, security evangelist and CEO for Columbus, Ohio based
MicroSolved, who invested in version 4.0 just three months after first using
Ounce. The information security company uses the software to review client apps.
“To some extent, it’s a great fact-finding tool and a good source
of comparison for our clients,” says Huston. “Our job is to find
as many holes as we can in apps, so we’re looking for the greatest number
of risks.”
Dissatisfied with competing software, MicroSolved “shopped around”
before making the switch to Ounce earlier this year. Huston said life before
Ounce required the implementation of four open-source security tools, along
with in-house tools to dredge the information that Ounce can in a single app.
Ounce 4.0—built on the company’s source code analysis engine and
security knowledgebase—marks the industry’s only enterprise-level
architecture for software security assurance. The latest version also incorporates
the Ounce Security Analyst, Ounce Portfolio Manager and Ounce Developer Plug-In,
which includes free licenses, enabling unlimited personnel access to assessment
results, vulnerability descriptions and remediation advice.
“It’s allowed us to address a wider range of development issues,”
says Huston, citing the convenience of app comparisons and coding best practices.
Ounce 4.0 promises a new standard in source code vulnerability analysis solutions,
integrating with the software dev lifecycle to ensure the speediest time-to-results
and features improved assessment accuracy.
Ounce Labs, based in Waltham, Mass., made the announcement earlier this month at the Gartner
IT Security Summit held in Washington, D.C. And the software—whose clients
include those in the financial services sector, telecommunications, software
dev industry and municipalities—also provides users with an innovative
licensing model.
“Organizations are so confident in Ounce’s accuracy that they incorporate
the assessment results into certification programs, compliance reporting and
contract languages, in some cases even penalizing application providers financially
based on reported vulnerabilities in the code,” said Hugh Scandrett, Ounce
CEO. “With Ounce 4.0, we took our industry-leading analysis and reporting,
and extended its capabilities throughout the development infrastructure and
across the enterprise.”
Ounce says 4.0 promises business-level results and a plethora of security perks.
Its pattern-based semantic analysis, with an expanded knowledgebase, works with
a security assessment engine that isolates the greatest number of security risks.
The software weeds real threats from potential ones, promising faster time-to-results.
The system—which provides graphical analysis and remediation assignment
through DTS systems—is capable of analyzing apps as large as 50 million
lines of code in a single assessment, rather than individual scans.
Other Ounce benefits include compatibility with existing dev orgs with new
integrated dev environment (IDE) and defect tracking system (DTS) integration.
The Developer Plug-in scans project code, pinpoints flaws and mitigates through
the Ounce Knowlegebase—all within their IDE. And the new Portfolio Manager
lends itself to customizable app groups and allows those groups to view results
on an assessment database to launch metrics-based reports of enterprise-wide
app security.
Huston says Ounce drawbacks are few and far between, though he hopes it will
eventually offer the inclusion of Ruby and Perl languages. “We’re
very comfortable with the tool and our clients love the detail of this report,”
he said.
According to Ounce Public Relations Manager Chris McClean, version 4.0 will
hit store shelves during the first week of August, with software package prices
ranging from $50,000 to $500,000.
About the Author
Jason Turcotte is an assistant editor at Application Development Trends. He can be reached at [email protected].