SOURCE: Ounce Labs

June 05, 2006 08:08 ET

Ounce 4.0 Delivers Major Advancements in Source Code Vulnerability Analysis

Seamless SDLC Integration, Fastest Time-to-results, and Enhanced Analysis Highlight New Release

WASHINGTON DC -- (MARKET WIRE) -- June 5, 2006 -- GARTNER IT Security Summit -- Ounce Labs, the leader in software security assurance, today set a new standard in source code vulnerability analysis solutions with Ounce 4.0. The new product integrates seamlessly with the software development lifecycle (SDLC), enables the fastest time-to-results, and features even greater assessment accuracy and completeness. Customers also benefit from an innovative licensing model.

"Ounce provides tremendous value by pinpointing real vulnerabilities, while others present just raw data," said Mike Gibbons, vice president, Enterprise Security Services, Unisys Corp. (NYSE: UIS). "Unisys has been using this solution for almost a year, and the biggest advantage is the ability to quickly understand the most critical results and take decisive action, rather than spend time sifting through reams of false positives."

"Code-scanning tools provide significant value for organizations trying to eliminate vulnerabilities or prevent them from being introduced during new development," said Michael Leworthy, technical product manager in the .NET Developer Marketing Group at Microsoft Corp. "Microsoft is pleased with the technological advancements Ounce Labs has made in this field, and their integration with Visual Studio 2005 will allow Microsoft developers to work easily within a familiar integrated development environment (IDE)."

Ounce 4.0 features the industry's only enterprise-level architecture for software security assurance, built on the company's advanced source code analysis engine and comprehensive security knowledgebase, which make up the Ounce Core. To meet the broad requirements of all users responsible for software security, the Ounce solution also consists of:

--  Ounce Security Analyst, which provides audit and quality assurance
    teams with all the tools required to perform assessments, triage results,
    and submit flaws to defect tracking systems;
--  Ounce Portfolio Manager, which enables users to track metrics-based
    results and make informed decisions to mitigate risk across an application
    portfolio, whether in development or deployed across an enterprise;
--  Ounce Developer Plug-in, which allows developers to access detailed
    vulnerability information and make immediate fixes to the code at their

Licenses for the Developer Plug-in are free, so organizations can maximize the impact of security efforts by granting unlimited personnel access to assessment results, vulnerability descriptions, and remediation advice.

According to a recent Gartner report, "Implementing source code scanning tools as part of an effort to integrate security best practices is the most effective way to identify and resolve software vulnerabilities. When integrated into the software development process, it will provide for a higher-quality product, lower overall support costs, and improved customer satisfaction(1)."

As cyber attacks become more focused on targeting the application layer, companies are implementing software security assurance products to reduce the risks of data theft, sabotage, legal repercussions, and loss of brand value. The advancements in Ounce 4.0 are in direct response to requests from customers who are using Ounce for source code analysis and remediation within their development and security programs.

"With Ounce 4.0, we've taken our product's industry-leading analysis and reporting and extended its capabilities throughout the development infrastructure and across the enterprise," said Hugh Scandrett, CEO of Ounce Labs. "Organizations are so confident in Ounce's accuracy that they incorporate the assessment results into certification programs, compliance reporting, and product release criteria."

Ounce 4.0 allows customers to achieve measurable, business-level results with their software security assurance programs, delivering:

Greater accuracy and completeness

Ounce 4.0 advances the product's industry-leading analysis with pattern-based semantic analysis capabilities and an expanded knowledgebase. The Ounce security assessment engine looks for the greatest number of software security risks and is the only solution that identifies and isolates confirmed vulnerabilities with 100% confidence.

Seamless integration with the SDLC

Ounce 4.0 fits easily into existing development organizations with new IDE and defect tracking system (DTS) integration. The Ounce Developer Plug-in™ for Microsoft Visual Studio 2005 and Ounce Developer Plug-in™ for Eclipse allow developers to scan project code, pinpoint flaws, and take appropriate remediation steps with guidance from the Ounce Knowledgebase, all within their IDE.

Faster time-to-results

The Ounce Security Analyst™ streamlines vulnerability triage by separating real vulnerabilities from potential ones, offering interactive graphical analysis, and allowing remediation assignment directly through DTS systems. The Ounce solution is built on the fastest and most scalable source code vulnerability analysis engine available, having successfully analyzed applications as large as 50 million lines of code in a single assessment instead of having to scan smaller components separately.

Advanced portfolio management

Management functions have been extended significantly with the new Ounce Portfolio Manager™, which enables comprehensive reporting of customizable application groups, such as development team, business unit, highest criticality, and global organization. Results can be aggregated across disparate assessment databases to generate metrics-based reports of enterprise-wide application security.

About Ounce Labs, Inc.

Ounce Labs™, the leader in software security assurance, delivers products that allow customers to manage software risk in applications across the enterprise, down to individual lines of code. The Ounce solution features patents-pending analysis technology, which scans source code to pinpoint security flaws. Ounce offers the most accurate and complete analysis, the fastest time-to-value, the only complete portfolio management, and the greatest deployment flexibility. Customers include leading organizations in financial services, telecommunications, software development, government, and other industries focused on protecting data, reducing software vulnerabilities, and complying with industry regulations. Ounce Labs is headquartered in Waltham, Massachusetts, with regional offices throughout the U.S. For more information, please visit

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

(1) Implement Source Code Security Scanning Tools to Improve Application Security, Amrit Williams, Gartner, April 4, 2006.

Contact Information

    Chris McClean
    Ounce Labs
    781.547.7031 (o)
    617.571.8945 (m)
    Email Contact