Ounce Labs weighs into rogue code

Written By: Nigel Stanley
Content Copyright © 2008 Bloor. All Rights Reserved.

Software development must be one of the most complex aspects
of IT. Although tools, processes and methodologies have come a long way in the
20 years or so I have been around the subject there is still a huge reliance on
the ability of your development team.

And alongside ability must come trustworthiness.

In the millions of lines of code that are churned out each
day there is ample opportunity for the inside threat to rear its ugly head. The
thoughts of members of your team accidentally writing code that leads to buffer
overflows and SQL injection attacks must give development managers a fretful
time. Worse than that is the thoughts of deliberate sabotage to your code and
attempts to install secret backdoors that can be abused in the future. Back to the
non-malicious/incompetent inside threat verses the competent/malicious threat
all over again.

This problem is a bad enough consideration when you are
employing teams directly, but what about the growing fashion to outsource
development to overseas companies for a fraction of the cost of local talent?
Financially, at least superficially, it appears to make some sense but you are,
in effect, allowing your code to be developed by person or persons completely
unknown to you in a foreign land you may never have even visited.

Industrial espionage, or good old fashioned spying, is as
alive and well today as it has ever been. In fact, a lot of time and effort from
the security agencies is tied up in dealing with this issue, and contacts have
assured me it is worse now than it has ever been as developing countries try to
steal a march (maybe even literally) against the developed world. Spying
between developed nations is also a problem, with some larger European
countries having a dreadful reputation for trying to obtain industrial secrets
from so called allies. Software development is an obvious target.

So tools that help development managers have
some semblance of control over the quality and security of code are now an
important part of their kit bag. One such supplier is Ounce Labs, who were
founded in 2002 by technicians fully aware of the security problem that rogue
code could present.

Ounce 5, released in June 2007, is embedded into the
development methodology so that the quality of the code can be checked at all
stages in the development lifecycle. The code can be benchmarked against a
number of standards including OWASP and PCI which makes it very attractive to
compliance managers. Typical problems detected include hard coded passwords,
sensitive data written in an unencrypted format, time bombs and firewall by-passing.
Unfortunately these problems can only,
generally, be found by inspecting lines of code, which would be a very intensive
manual process.

Ounce Labs have created a patented source code analysis tool
that inspects code automatically to detect possible threats. The code can be
written in a number of languages including Java, JSP, C, C++, C#, VB.NET,
ASP.NET and Classic ASP although not, at this moment in time, in T-SQL or
PLSQL. The results are displayed in a
classic traffic light dashboard indicating high, medium and low severity
problems along with a more focused PCI “SmartAudit” for those interested in specific
compliance needs.

The appeal of the simple presentation of such a complex
issue is obvious. Development managers can show their bosses lots of green
lights to show how clever they are and indeed some customers of outsourced development
contracts use the Ounce Labs report as a key indicator of software quality and for
the release of subsequent payments.

The downside of this approach is that decision makers get
seduced by green lights whilst their developers look for even more creative
ways of inserting malicious code. No sensible person will ever declare that a
product such as Ounce 5 will guarantee that your code is 100% secure but as an
indicator that covers 95% of the possibilities it is a whole lot more
convincing than a sweating development manager putting his career on the line
as he attempts to assure his bosses that the code is secure.

If I ever had the dubious pleasure of running software
development projects again I for sure would take a long hard look at a solution
such as Ounce 5.