SPI, Ounce Labs Target Poorly Written Code | eWeek

SPI, Ounce Labs Target Poorly Written Code

Écrit par
Dennis Fisher
Dennis Fisher
Jun 28, 2004
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Application security specialist SPI Dynamics Inc. on Monday rolled out a new solution designed to help developers lock down their applications during development through the use of secure chunks of code.

Also on Monday, a small startup, Ounce Labs Inc., of Waltham, Mass., released the second version of its Prexis source-code analysis tool. While SPI Dynamics and Ounce Labs take different approaches, both companies are aiming at what many security experts see as the root cause of most vulnerabilities: poorly written code.

Known as SecureObjects, SPI Dynamics new release will be integrated with Microsoft Corp.s Visual Studio .Net 2003 and is meant to give developers a library of securely written pieces of code that they can insert into their applications in specific situations. Most security vulnerabilities at the code level are the result of common programming errors, such as the failure to check the length of a memory buffer or the input from a Web form.

To remedy this, SPI Dynamics has developed a set of objects, each of which performs a specific function during the application development process. One type of object can be inserted into Web applications to check the incoming data on Web forms. The object compares the data against a pre-determined set of rules that governs what types of input are allowed. A second kind of object handles all of the security events generated by the other objects in the solutions library.

Inserting the objects into applications doesnt require any major changes to the code, and developers can simply drag and drop them wherever theyre needed.

“It doesnt require developers to learn about security,” said Caleb Sima, founder and chief technology officer of SPI Dynamics, based in Atlanta. “You really just need to validate input to eliminate most application vulnerabilities.”

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

The company plans to integrate SecureObjects with its flagship WebInspect product. SecureObjects is due for general availability in the third quarter. SPI Dynamics also plans to release versions for ASP and Java in the near future.

Meanwhile, Ounce Labs new version of Prexis, which scans source code for vulnerabilities, now includes a way to measure the number and severity of the flaws found in a given application. The V-Density measurement is meant to gauge the security of applications relative to one another, giving administrators and IT managers a way to prioritize the task of fixing vulnerabilities.

Prexis 2.0, which is available now, is meant for C and C++ applications, although a Java module is in the works and will be available in July.

Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.