Ounce’s Code Scanning Prevents Vulnerabilities, Foils Attacks

An ounce of prevention is worth a pound of cure, say ISVs and partners focused on making applications more secure by design. One Waltham, Mass.-based ISV, Ounce Labs, has developed an innovative code-scanning and analysis platform called Prexis that scours Java and C/C++ applications for vulnerabilities. New support for Microsoft’s .Net—made available in the Prexis 3.3 update in April—will vastly expand opportunities, partners said.

“The more languages they support, the more acceptance there will be,” said Rick Rosenburg, managing partner of defense and intelligence for Unisys’ U.S. Federal Government Group, an Ounce Labs partner in Reston, Va. “When you start talking to customers about business applications and financial applications, a lot are written in .Net.”

Ounce Labs’ upgraded code-analysis platform—due this July and available for open-source/Linux and Microsoft platforms—will be renamed Ounce 4.0, a spokesman said.

Ounce Labs’ inner circle is a seasoned team of security experts, including CTO Jack Danahy and engineering vice president Larry Rose, who were awarded a patent for developing a secured distributed management system for Hewlett-Packard (which acquired Apollo Computer) in the 1980s and built a managed security service for BBN Technologies in the 1990s. They and other Ounce Labs execs founded Qiave Technologies, which was sold to WatchGuard in 2000.

Ounce Labs has 45 employees and a direct sales force, but the company is growing its partner force to expand its market, Danahy said. “Most applications are insecure—where they’re developed, offshore, insourced or outsourced,” he said. “Routinely, we go into a place where an application is developed by smart people and we find tens or hundreds of things broken.”

Unisys has been using Prexis since July and resells it because it is the “fastest code-scanning tool on the market,” scans multiple applications linked together, prioritizes results and recommends how to fix them, Rosenburg said. “The value of the dashboard and the high-level decision-making of Prexis adds tremendous value, while others provide just raw data,” he said.

Code scanning pleases users who are tired of patching vulnerabilities and addresses concerns about insiders in an organization who have access to code.

“IT is becoming a weapons system in and of itself, so application data has to be protected and agencies have to make sure people are not modifying or changing the code. Sometimes, the enemy is within,” said Regis Sullivan, manager at immixGroup, an Ounce Labs partner in McLean, Va. “You need to make sure the application hasn’t been tampered with. Ounce is a critical piece of that,” he said. “Code-scanning tools can help find vulnerabilities that slipped through the cracks and prevent vulnerabilities from getting in there,” said Chris Luca, manager in Microsoft’s Visual Studio group.

Microsoft integrated a code-scanning feature in Visual Studio 2005 called Analyze, based on a homegrown tool called PreFast, or FxCop, originally developed for internal use only. Microsoft externalized that but also works with Ounce Labs, Fortify, SPI Dynamics and Compuware to fill in the gaps, a spokesman said.

The opportunity is there. According to a report used in February by Gartner Group, code-scanning tools from Ounce Labs, Secure Software, Fortify Software and Coverity are sufficient for automating aspects of the code-review process but are not a “complete substitute for human analysis.” That analysis is performed by Ounce Labs’ partners such as Unisys, Crowe Chizek, immixGroup and Aspect.

Ounce Labs’ platform is targeted at ISVs, corporate developers, custom application developers and channel partners—some of whom started out as customers and ended up partners. “They are the ones ahead of the curve who came to us,” Danahy said.

Code scanning is complex and is not for people lacking security expertise. But use of those tools—or lack thereof—can be felt across an entire organization—from the CEO to the programmer, the CTO added.

“The technology will make your hair hurt, but the analysis will derive granular results across tens of applications using consistent metrics,” Danahy said. “The people who pay the ultimate price [for not doing code scanning] are not the developers—they’re the execs who make business decisions.”

Tweet

   

More Security