IBM acquired source code security testing vendor Ounce Labs Inc. Tuesday in a move that will integrate the firm's software testing technology into IBM's Rational software business.
Waltham, Mass.-based Ounce Labs scans software source code and identifies potential security and compliance vulnerabilities during the early stages of software development, when they are less expensive to correct.
IBM, Armonk, N.Y., said Ounce Labs technology will be offered as part of the IBM Rational AppScan family of Web application security and compliance testing software. The goal is to sell tools that can provide application security analysis capabilities across the software development lifecycle (SDLC), from coding to production. Financial terms of the deal were not disclosed.
Experts stopped short of calling the deal groundbreaking, instead saying the it was a natural fit for IBM, which has been acquiring companies to fill out secure software development offerings. In 2007, IBM acquired Web application vulnerability scanning vendor Watchfire Corp., which became part of IBM's Rational development platform. IBM Rational provides tools for developers to model, design and build Web-based architectures for SOA, systems and applications. Hewlett-Packard Co. mirrored IBM with an acquisition of Watchfire competitor SPI Dynamics Inc.
"It's functionality that will support previous acquisitions," said Nick Selby, a consultant and president and cofounder of Cambridge Infosec Associates Inc. "IBM has been bringing security deeper into the development stage as opposed to trying to figure out what happened afterward by reverse engineering. The ability to run testing and get input at the development stage and get engineers to find better ways for secure coding just makes a lot of sense."
Ounce Labs has competed with Cenzic Inc. and Klocwork Inc., vendors that conduct source code analysis. Other application security vendors focus on dynamic testing, reverse engineering and fuzzing.
Ounce Labs has been in a market with a fairly limited niche technology. The company has partnered with other vendors for Web application vulnerability analysis to try to bring static code analysis into the post deployment testing phase, Selby said. But Ounce Labs may have been ahead of its time, he said.
"They were pushing secure coding when organizations didn't want to hear about it," Selby said. "People are realizing the better, more elegant and ultimately less expensive way to build code is to build in security from the very beginning."
Jack Danahy, cofounder and chief technology officer of Ounce Labs, said the IBM acquisition will help existing customers leverage IBM's Rational tools. Ounce Labs had provided a plug-in for Rational that was popular with Ounce Labs customers. Danahy, who has been pushing source code analysis in the software development lifecycle since 2002, said companies are finally starting to get the message.
"It's sometimes difficult to make that kind of awareness happen when you are a small company. It's taken organizations time to recognize and show others that if you look at code early on you can save money," Danahy said. "Now I've got a bullhorn, so this is an extremely exciting development."
Danahy will continue to oversee Ounce Labs during the integration. He said his vision is to see black box and white box testing correlated in a way never seen before with IBM filling in gaps over time to enable customers secure the software development lifecycle. Danny Allan, director of security research at IBM Rational, said the company planned to maintain a development staff for Ounce Labs. No layoffs as a result of the acquisition are expected, he said.
"It is very critical and important for IBM to maintain that level of knowledge right across the board," Allan said. "It's a priority to keep that brain trust in-house."