Software development must be one of the most complex aspects of IT. Although tools, processes and methodologies have come a long way in the 20 years or so I have been around the subject there is still a huge reliance on the ability of your development team.
And alongside ability must come trustworthiness.
In the millions of lines of code that are churned out each day there is ample opportunity for the inside threat to rear its ugly head. The thoughts of members of your team accidentally writing code that leads to buffer overflows and SQL injection attacks must give development managers a fretful time. Worse than that is the thoughts of deliberate sabotage to your code and attempts to install secret backdoors that can be abused in the future. Back to the non-malicious/incompetent inside threat verses the competent/malicious threat all over again.
This problem is a bad enough consideration when you are employing teams directly, but what about the growing fashion to outsource development to overseas companies for a fraction of the cost of local talent? Financially, at least superficially, it appears to make some sense but you are, in effect, allowing your code to be developed by person or persons completely unknown to you in a foreign land you may never have even visited.
Industrial espionage, or good old fashioned spying, is as alive and well today as it has ever been. In fact, a lot of time and effort from the security agencies is tied up in dealing with this issue, and contacts have assured me it is worse now than it has ever been as developing countries try to steal a march (maybe even literally) against the developed world. Spying between developed nations is also a problem, with some larger European countries having a dreadful reputation for trying to obtain industrial secrets from so called allies. Software development is an obvious target.
So tools that help development managers have some semblance of control over the quality and security of code are now an important part of their kit bag. One such supplier is Ounce Labs, who were founded in 2002 by technicians fully aware of the security problem that rogue code could present.
Ounce 5, released in June 2007, is embedded into the development methodology so that the quality of the code can be checked at all stages in the development lifecycle. The code can be benchmarked against a number of standards including OWASP and PCI which makes it very attractive to compliance managers. Typical problems detected include hard coded passwords, sensitive data written in an unencrypted format, time bombs and firewall by-passing. Unfortunately these problems can only, generally, be found by inspecting lines of code, which would be a very intensive manual process.
Ounce Labs have created a patented source code analysis tool that inspects code automatically to detect possible threats. The code can be written in a number of languages including Java, JSP, C, C++, C#, VB.NET, ASP.NET and Classic ASP although not, at this moment in time, in T-SQL or PLSQL. The results are displayed in a classic traffic light dashboard indicating high, medium and low severity problems along with a more focused PCI "SmartAudit" for those interested in specific compliance needs.
The appeal of the simple presentation of such a complex issue is obvious. Development managers can show their bosses lots of green lights to show how clever they are and indeed some customers of outsourced development contracts use the Ounce Labs report as a key indicator of software quality and for the release of subsequent payments.
The downside of this approach is that decision makers get seduced by green lights whilst their developers look for even more creative ways of inserting malicious code. No sensible person will ever declare that a product such as Ounce 5 will guarantee that your code is 100% secure but as an indicator that covers 95% of the possibilities it is a whole lot more convincing than a sweating development manager putting his career on the line as he attempts to assure his bosses that the code is secure.
If I ever had the dubious pleasure of running software development projects again I for sure would take a long hard look at a solution such as Ounce 5.