SPI, Ounce Labs Introduce Code Security, Dev Tools
Application security specialist SPI Dynamics Inc. is rolling out a solution that helps developers lock down applications during development through secure chunks of code.
Meanwhile, startup Ounce Labs Inc., of Waltham, Mass., has released the second version of its Prexis source code analysis tool. While SPI Dynamics and Ounce Labs take different paths, both aim at what many security experts see as the cause of most vulnerabilities: poorly written code.
Known as SecureObjects, SPI Dynamics release will be merged with Microsoft Corp.s Visual Studio .Net 2003 and gives developers a library of securely written code they can insert into applications. Most code-level security vulnerabilities result from common programming errors, experts say. To fix this, SPI Dynamics offers a set of objects, each of which has a role during application development. One type of object can be inserted into Web applications to check incoming data on Web forms. The object compares the data with rules governing the types of input allowed. A second kind of object handles security events generated by other objects in the solutions library.
Inserting the objects into applications does not require major code changes, and developers can drag and drop them where needed. "It doesnt require developers to learn about security," said Caleb Sima, co-founder and chief technology officer of SPI Dynamics, based in Atlanta. "You really just need to validate input to eliminate most application vulnerabilities."
The company plans to merge SecureObjects with its flagship WebInspect product. SecureObjects is due for general availability this quarter. SPI Dynamics plans to release versions for ASP.Net and Java in the near future.
Meanwhile, Ounce Labs new version of Prexis, which scans source code for vulnerabilities, can determine the number and severity of flaws found in an application. The V-Density (vulnerability density) measurement gauges the security of applications relative to one another, giving IT managers a way to prioritize the task of fixing vulnerabilities.
Prexis 2.0, available now, is for C and C++ applications. A Java module is slated to be available this month.