SPI, Ounce Labs Introduce Code Security, Dev Tools

SPI Dynamics and Ounce Labs take different paths to locking down code, both aim at what many security experts see as the cause of most vulnerabilities: poorly written code.

Application security specialist SPI Dynamics Inc. is rolling out a solution that helps developers lock down applications during development through secure chunks of code.

Meanwhile, startup Ounce Labs Inc., of Waltham, Mass., has released the second version of its Prexis source code analysis tool. While SPI Dynamics and Ounce Labs take different paths, both aim at what many security experts see as the cause of most vulnerabilities: poorly written code.

Known as SecureObjects, SPI Dynamics release will be merged with Microsoft Corp.s Visual Studio .Net 2003 and gives developers a library of securely written code they can insert into applications. Most code-level security vulnerabilities result from common programming errors, experts say. To fix this, SPI Dynamics offers a set of objects, each of which has a role during application development. One type of object can be inserted into Web applications to check incoming data on Web forms. The object compares the data with rules governing the types of input allowed. A second kind of object handles security events generated by other objects in the solutions library.

Code cleaners




• Replaces flawed source code with securely written objects
• Handles error reports
• Suggests remediation actions


• Scans source code for security flaws
• Suggests remediation ideas
• Gives a metric of the vulnerability density of each application

Inserting the objects into applications does not require major code changes, and developers can drag and drop them where needed. "It doesnt require developers to learn about security," said Caleb Sima, co-founder and chief technology officer of SPI Dynamics, based in Atlanta. "You really just need to validate input to eliminate most application vulnerabilities."

The company plans to merge SecureObjects with its flagship WebInspect product. SecureObjects is due for general availability this quarter. SPI Dynamics plans to release versions for ASP.Net and Java in the near future.

Meanwhile, Ounce Labs new version of Prexis, which scans source code for vulnerabilities, can determine the number and severity of flaws found in an application. The V-Density (vulnerability density) measurement gauges the security of applications relative to one another, giving IT managers a way to prioritize the task of fixing vulnerabilities.

Prexis 2.0, available now, is for C and C++ applications. A Java module is slated to be available this month.


Check out eWEEK.coms Developer & Web Services Center at http://developer.eweek.com for the latest news, reviews and analysis in programming environments and developer tools.


Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page