Application security experts have been beating the drum about building security into the software development life cycle, but accomplishing that requires getting developers to join the chorus.
Ounce Labs, with the announcement of the Ounce 4.0 source code vulnerability analysis tool, is reaching out to developers by enabling them to work with the tools they're comfortable with, as well as lowering the cost of entry. Ounce is built on the company's advanced source code analysis engine and security knowledgebase and is designed to integrate with the software development life cycle.
The 4.0 version integrates with integrated development environments (IDEs) and defect tracking systems. The Ounce Developer Plug-in for Microsoft Visual Studio 2005 and Ounce Developer Plug-in for Eclipse allow developers to scan project code, find flaws and take appropriate remediation steps all within their IDE.
"The most important thing we can do for the development community is to give them access to the results," said Jack Danahy, founder and chief technology officer of Ounce Labs, based in Waltham, Mass. "The real value we're providing is an understanding of the vulnerabilities. I think developers learning about the problems, and having access in the tools and frameworks they like to use to fix the problems, will [help] adoption."
In addition, licenses for the Developer Plug-in are free. "This will decrease the barriers to getting those folks [developers] involved [with security]," Danahy said. "We now have got results which have real value. We have found a way to eliminate much of the false-positive problem, and we want to feed this data down to developers."
If developers have not yet adopted automated tools that scan for security flaws, "it could be that the information provided has not been that valuable to them," he said. "We've got targeted and specific data. The other barrier is cost."
The Ounce solution also consists of the Ounce Security Analyst, which provides audit and quality assurance teams with tools to perform assessments, triage results and submit flaws to defect tracking systems. In addition, the Ounce Portfolio Manager enables users to track metrics-based results and make informed decisions to mitigate risk across an application portfolio, whether in development or deployed across an enterprise.
The use of automated code scanning tools is part of an "inside-out approach [to application security] versus outside-in that is becoming much more prevalent," according to Gary McGraw, Ph.D., chief technology officer at Cigital Inc., a software quality management consulting company in Dulles, Va.
In addition to Ounce Labs, other companies offering automated code scanning tools include Coverity Inc. in San Francisco, Fortify Software Inc. in Palo Alto, Calif.; Secure Software Inc. in McLean, Va.; SPI Dynamics in Atlanta.; and Watchfire in Waltham, Mass.
McGraw recommends the use of those types of tools as a best practice in his latest book, Software Security: Building Security In (Addison-Wesley, 2006). In a recent interview, McGraw said, "What they do is help developers while they're writing code and compiling code to find and remove common software security bugs. My belief is if you are not using a tool like that, you are in fact negligent."
In addition to identifying programmer mistakes, Danahy said Ounce 4.0 also looks at things such as the use of cryptography and if it is done well, as well as authentication and access and where it's being applied. "It's all maintained in a security profile that looks a lot like an auditor's report," he said.
Looking ahead, Danahy said to expect integration with other testing tools, as well as support for some of the older languages. "This is a complex space. There's a lot work to do to satisfy the problem and understand and improve security."