SPI, Ounce Labs Target Poorly Written Code

Application security specialist SPI Dynamics Inc. on Monday rolled out a new solution designed to help developers lock down their applications during development through the use of secure chunks of code.

Also on Monday, a small startup, Ounce Labs Inc., of Waltham, Mass., released the second version of its Prexis source-code analysis tool. While SPI Dynamics and Ounce Labs take different approaches, both companies are aiming at what many security experts see as the root cause of most vulnerabilities: poorly written code.

Known as SecureObjects, SPI Dynamics' new release will be integrated with Microsoft Corp.'s Visual Studio .Net 2003 and is meant to give developers a library of securely written pieces of code that they can insert into their applications in specific situations. Most security vulnerabilities at the code level are the result of common programming errors, such as the failure to check the length of a memory buffer or the input from a Web form.

To remedy this, SPI Dynamics has developed a set of objects, each of which performs a specific function during the application development process. One type of object can be inserted into Web applications to check the incoming data on Web forms. The object compares the data against a pre-determined set of rules that governs what types of input are allowed. A second kind of object handles all of the security events generated by the other objects in the solution's library.

Inserting the objects into applications doesn't require any major changes to the code, and developers can simply drag and drop them wherever they're needed.

"It doesn't require developers to learn about security," said Caleb Sima, founder and chief technology officer of SPI Dynamics, based in Atlanta. "You really just need to validate input to eliminate most application vulnerabilities."

The company plans to integrate SecureObjects with its flagship WebInspect product. SecureObjects is due for general availability in the third quarter. SPI Dynamics also plans to release versions for ASP and Java in the near future.

Meanwhile, Ounce Labs' new version of Prexis, which scans source code for vulnerabilities, now includes a way to measure the number and severity of the flaws found in a given application. The V-Density measurement is meant to gauge the security of applications relative to one another, giving administrators and IT managers a way to prioritize the task of fixing vulnerabilities.

Prexis 2.0, which is available now, is meant for C and C++ applications, although a Java module is in the works and will be available in July.

This article was first published on eweek.com.

Copyright © 2004 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in Dev Source.