Ounce Labs reaches out to developers with new analysis tool

By Colleen Frye, News Writer 09 Jun 2006 | SearchAppSecurity.com

Software quality news and advice Digg This!     StumbleUpon     Del.icio.us

Application security experts have been beating the drum about building security into the software development life cycle, but accomplishing that requires getting developers to join the chorus.

Ounce Labs, with the announcement of the Ounce 4.0 source code vulnerability analysis tool, is reaching out to developers by enabling them to work with the tools they're comfortable with, as well as lowering the cost of entry. Ounce is built on the company's advanced source code analysis engine and security knowledgebase and is designed to integrate with the software development life cycle.

The 4.0 version integrates with integrated development environments (IDEs) and defect tracking systems. The Ounce Developer Plug-in for Microsoft Visual Studio 2005 and Ounce Developer Plug-in for Eclipse allow developers to scan project code, find flaws and take appropriate remediation steps all within their IDE.

"The most important thing we can do for the development community is to give them access to the results," said Jack Danahy, founder and chief technology officer of Ounce Labs, based in Waltham, Mass. "The real value we're providing is an understanding of the vulnerabilities. I think developers learning about the problems, and having access in the tools and frameworks they like to use to fix the problems, will [help] adoption."

The real value we're providing is an understanding of the vulnerabilities. Jack Danahy Founder and CTO, Ounce Labs

In addition, licenses for the Developer Plug-in are free. "This will decrease the barriers to getting those folks [developers] involved [with security]," Danahy said. "We now have got results which have real value. We have found a way to eliminate much of the false-positive problem, and we want to feed this data down to developers."

If developers have not yet adopted automated tools that scan for security flaws, "it could be that the information provided has not been that valuable to them," he said. "We've got targeted and specific data. The other barrier is cost."

The Ounce solution also consists of the Ounce Security Analyst, which provides audit and quality assurance teams with tools to perform assessments, triage results and submit flaws to defect tracking systems. In addition, the Ounce Portfolio Manager enables users to track metrics-based results and make informed decisions to mitigate risk across an application portfolio, whether in development or deployed across an enterprise.

The use of automated code scanning tools is part of an "inside-out approach [to application security] versus outside-in that is becoming much more prevalent," according to Gary McGraw, Ph.D., chief technology officer at Cigital Inc., a software quality management consulting company in Dulles, Va.

In addition to Ounce Labs, other companies offering automated code scanning tools include Coverity Inc. in San Francisco, Fortify Software Inc. in Palo Alto, Calif.; Secure Software Inc. in McLean, Va.; SPI Dynamics in Atlanta.; and Watchfire in Waltham, Mass.

Code analysis tools App security tools target Ajax vulnerabilities Review: Series of tools helps shore up faulty coding App security vendors bridge gaps in SDLC roles

McGraw recommends the use of those types of tools as a best practice in his latest book, Software Security: Building Security In (Addison-Wesley, 2006). In a recent interview, McGraw said, "What they do is help developers while they're writing code and compiling code to find and remove common software security bugs. My belief is if you are not using a tool like that, you are in fact negligent."

In addition to identifying programmer mistakes, Danahy said Ounce 4.0 also looks at things such as the use of cryptography and if it is done well, as well as authentication and access and where it's being applied. "It's all maintained in a security profile that looks a lot like an auditor's report," he said.

Looking ahead, Danahy said to expect integration with other testing tools, as well as support for some of the older languages. "This is a complex space. There's a lot work to do to satisfy the problem and understand and improve security."

Tags: Software security testing and techniques,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software security testing and techniques Web server weaknesses you don't want to overlook Using firewalls for software testing: Pros and cons Beating software's cross-site scripting, authentication problems Free Web proxy security tools software testers should get to know How to get management on board with Web 2.0 security issues Web application security best practices: Tips on implementation Testing strategies for complex environments How to make your software tamperproof Ways to approach application performance testing on a tight budget How can I tell if my software security has been breached?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary