IBM acquires Ounce Labs for source code analysis

By Robert Westervelt, News Editor 28 Jul 2009 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

IBM acquired source code security testing vendor Ounce Labs Inc. Tuesday in a move that will integrate the firm's software testing technology into IBM's Rational software business.

Waltham, Mass.-based Ounce Labs scans software source code and identifies potential security and compliance vulnerabilities during the early stages of software development, when they are less expensive to correct.

IBM, Armonk, N.Y., said Ounce Labs technology will be offered as part of the IBM Rational AppScan family of Web application security and compliance testing software. The goal is to sell tools that can provide application security analysis capabilities across the software development lifecycle (SDLC), from coding to production. Financial terms of the deal were not disclosed.

Experts stopped short of calling the deal groundbreaking, instead saying the it was a natural fit for IBM, which has been acquiring companies to fill out secure software development offerings. In 2007, IBM acquired Web application vulnerability scanning vendor Watchfire Corp., which became part of IBM's Rational development platform. IBM Rational provides tools for developers to model, design and build Web-based architectures for SOA, systems and applications. Hewlett-Packard Co. mirrored IBM with an acquisition of Watchfire competitor SPI Dynamics Inc.

"It's functionality that will support previous acquisitions," said Nick Selby, a consultant and president and cofounder of Cambridge Infosec Associates Inc. "IBM has been bringing security deeper into the development stage as opposed to trying to figure out what happened afterward by reverse engineering. The ability to run testing and get input at the development stage and get engineers to find better ways for secure coding just makes a lot of sense."

Ounce Labs has competed with Cenzic Inc. and Klocwork Inc., vendors that conduct source code analysis. Other application security vendors focus on dynamic testing, reverse engineering and fuzzing.

Ounce Labs has been in a market with a fairly limited niche technology. The company has partnered with other vendors for Web application vulnerability analysis to try to bring static code analysis into the post deployment testing phase, Selby said. But Ounce Labs may have been ahead of its time, he said.

"They were pushing secure coding when organizations didn't want to hear about it," Selby said. "People are realizing the better, more elegant and ultimately less expensive way to build code is to build in security from the very beginning."

Jack Danahy, cofounder and chief technology officer of Ounce Labs, said the IBM acquisition will help existing customers leverage IBM's Rational tools. Ounce Labs had provided a plug-in for Rational that was popular with Ounce Labs customers. Danahy, who has been pushing source code analysis in the software development lifecycle since 2002, said companies are finally starting to get the message.

"It's sometimes difficult to make that kind of awareness happen when you are a small company. It's taken organizations time to recognize and show others that if you look at code early on you can save money," Danahy said. "Now I've got a bullhorn, so this is an extremely exciting development."

Danahy will continue to oversee Ounce Labs during the integration. He said his vision is to see black box and white box testing correlated in a way never seen before with IBM filling in gaps over time to enable customers secure the software development lifecycle. Danny Allan, director of security research at IBM Rational, said the company planned to maintain a development staff for Ounce Labs. No layoffs as a result of the acquisition are expected, he said.

"It is very critical and important for IBM to maintain that level of knowledge right across the board," Allan said. "It's a priority to keep that brain trust in-house."

Tags: Software Development Methodology,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology Quiz: How to build secure applications How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Web Application Security Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary