News

Targeting security issues during development

• By Jason Turcotte
• June 7, 2006

A recent Gartner report suggests using source code scanning tools to integrate security best practices is the most effective way to solve software vulnerabilities. And integrating during the software dev process often reduces support costs.

As cyberattacks continue to penetrate the app layer, businesses are acknowledging the need to implement software security assurance. And, according to Ounce Labs, just-released version 4.0 is a direct response to requests from customers using earlier versions of its software.

Just ask Brent Huston, security evangelist and CEO for Columbus, Ohio based MicroSolved, who invested in version 4.0 just three months after first using Ounce. The information security company uses the software to review client apps.

“To some extent, it’s a great fact-finding tool and a good source of comparison for our clients,” says Huston. “Our job is to find as many holes as we can in apps, so we’re looking for the greatest number of risks.”

Dissatisfied with competing software, MicroSolved “shopped around” before making the switch to Ounce earlier this year. Huston said life before Ounce required the implementation of four open-source security tools, along with in-house tools to dredge the information that Ounce can in a single app.

Ounce 4.0—built on the company’s source code analysis engine and security knowledgebase—marks the industry’s only enterprise-level architecture for software security assurance. The latest version also incorporates the Ounce Security Analyst, Ounce Portfolio Manager and Ounce Developer Plug-In, which includes free licenses, enabling unlimited personnel access to assessment results, vulnerability descriptions and remediation advice.

“It’s allowed us to address a wider range of development issues,” says Huston, citing the convenience of app comparisons and coding best practices.

Ounce 4.0 promises a new standard in source code vulnerability analysis solutions, integrating with the software dev lifecycle to ensure the speediest time-to-results and features improved assessment accuracy.

Ounce Labs, based in Waltham, Mass., made the announcement earlier this month at the Gartner IT Security Summit held in Washington, D.C. And the software—whose clients include those in the financial services sector, telecommunications, software dev industry and municipalities—also provides users with an innovative licensing model.

“Organizations are so confident in Ounce’s accuracy that they incorporate the assessment results into certification programs, compliance reporting and contract languages, in some cases even penalizing application providers financially based on reported vulnerabilities in the code,” said Hugh Scandrett, Ounce CEO. “With Ounce 4.0, we took our industry-leading analysis and reporting, and extended its capabilities throughout the development infrastructure and across the enterprise.”

Ounce says 4.0 promises business-level results and a plethora of security perks. Its pattern-based semantic analysis, with an expanded knowledgebase, works with a security assessment engine that isolates the greatest number of security risks. The software weeds real threats from potential ones, promising faster time-to-results. The system—which provides graphical analysis and remediation assignment through DTS systems—is capable of analyzing apps as large as 50 million lines of code in a single assessment, rather than individual scans.

Other Ounce benefits include compatibility with existing dev orgs with new integrated dev environment (IDE) and defect tracking system (DTS) integration. The Developer Plug-in scans project code, pinpoints flaws and mitigates through the Ounce Knowlegebase—all within their IDE. And the new Portfolio Manager lends itself to customizable app groups and allows those groups to view results on an assessment database to launch metrics-based reports of enterprise-wide app security.

Huston says Ounce drawbacks are few and far between, though he hopes it will eventually offer the inclusion of Ruby and Perl languages. “We’re very comfortable with the tool and our clients love the detail of this report,” he said.

According to Ounce Public Relations Manager Chris McClean, version 4.0 will hit store shelves during the first week of August, with software package prices ranging from $50,000 to $500,000.