As application security threats continue to grow, the need for greater code quality analysis is critical. One of the key tools in the fight for better and more secure code quality is a technique known as static analysis, which is an area that IBM (NYSE: IBM) jumped into in 2009 with the acquisition of Ounce Labs.
Now six months after the acquisition announcement, the Ounce Labs static analysis tools are part of the IBM Rational family of products, which also include the AppScan product line for dynamic analysis. Ounce Labs static analysis technology has been rebranded as the IBM Rational AppScan Source Edition. With the integration of the Ounce tools, IBM now has both static and dynamic analysis capabilities in its effort to more thoroughly secure application code.
"In our discussions with IBM running up to the acquisition, it was clear that IBM was continuing their success on the dynamic analysis side with the AppScan products," Jack Danahy, former CTO of Ounce Labs and now a security executive within IBM Rational's CTO office, told InternetNews.com. "They were hearing from customers that we have broad language coverage and are used in some large deployments. So IBM concluded that it would make sense to jump ahead and combine their muscle in terms of customer confidence and combine the two technologies -- static and dynamic analysis."
AppScan came to IBM by way of the 2007 acquisition of Watchfire. AppScan focuses on dynamic analysis of application code for penetration testing to find potential security risks and defects. Static analysis, on the other hand, looks at application code data flow to help identify defects along a code path. While the two types of analysis have often been separate, Danahy noted that by having the dynamic analysis expertise from IBM, the Ounce Labs static analysis technology is now being improved.
IBM now offers an integrated dashboard by which users can see AppScan dynamic analysis alongside Ounce static analysis results. Danahy noted that work has also continued to go beyond integrating the data sets from both static and dynamic analysis of a particular piece of code.
"That's where a lot of the hard thinking is now," Danahy said. "How do we leverage the results that one acquires from a penetration test in terms of things that are exploitable and then find out how to match those against the underlying vulnerabilities that are found in the source code, to provide a new means by which people can figure out what to fix first."
IBM product integration
The other key areas where the Ounce Labs technology is being integrated into IBM are on the IDE side, though the work there is not starting from scratch.
"In 2007, Ounce Labs was an IBM Rational premium partner for RAD 7 (Rational Application Developer), so we've had a RAD plug-in for years," Danahy said. "What we're doing now is re-tuning the way we did things more neatly, since we're now part of the inside crowd instead of being an external third party provider."
Danahy added that IBM Rational overall has a large number of products that he wasn't aware of, and now he's working on seeing where else Ounce Labs static analysis technology can be integrated to enhance software development and application security.
On a larger technology level, IBM has been working at integrated security in both its Rational and Tivoli divisions.
Application framework concerns
While buffer and integer memory overflows are common code-level defects, the deeper culprit for flaws may actually be in the application frameworks that developers are using.
"If you look at the material flaws that are causing developers to fall over all the time, a lot of them are composition problems," Danahy said.
Danahy added that the frameworks that provide developers with the ability to quickly deploy service-oriented and other types of applications can mask the complexity of the underlying system, which can lead to potential security issues. He sees security problems stemming from a lack of developer insight into understanding how the frameworks work and handle data.
"If I look at a trend for 2010, I think we'll continue to see a real growth of frameworks as an enabler of application development," Danahy said. "It will become much more important to communicate to developers the results of security analysis about how application construction could negatively impact how they keep data or services private."
Sean Michael Kerner is a senior editor at InternetNews.com, covering Linux and open source, application development and networking.