SOURCE: Ounce Labs

February 14, 2006 09:06 ET

Ounce Labs and Aspect Security Publish Report on Open Source Vulnerability Analysis

Case Study Documents Application Security Verification Process and Offers Industry Guidance on Creating a Software Security Program

SAN JOSE, CA -- (MARKET WIRE) -- February 14, 2006 -- RSA Conference -- Ounce Labs, the leader in software security assurance solutions, and Aspect Security, the application security specialists, today released "Opening the Black Box: A Source Code Security Analysis Case Study." The report describes a detailed source code security review of a popular open source application, ways specific flaws may affect users, security trends of open source development, and guidelines that professionals should use for verifying the security of applications within their organization.

Primary authors of the publication are Jack Danahy, founder and CTO of Ounce Labs, and Jeff Williams, founder and CEO of Aspect Security as well as Chairman of the Open Web Application Security Project (OWASP) Foundation. They document a detailed security verification of Azureus, the popular open source BitTorrent client, by Aspect's team of application security experts supported by Ounce Labs' advanced source code security analysis technology.

The Ounce Labs' analysis engine took under an hour to scan Azureus' 200,000 lines of source code and identify vulnerabilities and potential design flaws in the application. Aspect's team used these results as part of its unique application security verification process and documented details of the most critical vulnerabilities. This process is explained step-by-step in Opening the Black Box to give organizations guidance on how to implement a software security assurance initiative for their own applications.

"Our security verification of Azureus found it to be resilient to attacks for the most part, and security mechanisms have been well-implemented within the code," said Williams. "Verification is not simply finding vulnerabilities. We used Azureus as a test case to demonstrate a cost-effective process for ensuring that applications are secure enough to trust with your business. These efforts also provide tremendous insight into your organization's capability to produce secure code."

"This report demonstrates a process proven to successfully reduce enterprise risk caused by insecure software, although the vast majority of companies have almost no insight into how secure their applications are," said Danahy. "Layers and layers of network security are worthless if application flaws and policy violations expose critical data to attack. We are presenting a way to remove software risks that companies can begin implementing immediately."

Jeff Williams will join Ounce Labs every hour during the RSA Conference in booth number 215 to present findings from the Opening the Black Box report. Aspect will also be exhibiting in Ounce Labs' booth as a featured partner.

"Opening the Black Box: A Source Code Security Analysis Case Study" is available free to the public at Ounce Labs' booth or at

The Azureus Team volunteered their application as a test subject for this project. Their support during the process and permission to publish results of this study are greatly appreciated. More information about Azureus can be found at

About Ounce Labs, Inc.

Ounce Labs™, the leader in software security assurance, delivers products that allow customers to verify that software meets their defined security requirements. Ounce Labs' enterprise-level automated source code analysis provides reliable vulnerability metrics necessary to manage software risk, enforce security policies, enhance audit capabilities, and track compliance efforts. Based on patents-pending Contextual Analysis™ technology, Ounce Labs' products also pinpoint specific software design errors and coding flaws to simplify remediation during any phase of the development lifecycle. Founded in 2002, Ounce Labs is located in Waltham, Massachusetts. For more information, please visit

About Aspect Security, Inc.

Aspect Security specializes in web application and web services security. Aspect's expert staff is responsible for the security of financial, healthcare, biotechnology, e-commerce, Fortune 500, and government web applications. Aspect provides code review, penetration testing, policy development, and developer security training services to find, diagnose, and eliminate vulnerabilities in custom web application code. Aspect is privately held and headquartered in Columbia, Maryland. To contact Aspect Security call 301-604-4882, visit us on the Web at, or write to

Contact Information

    Chris McClean
    Ounce Labs
    781.547.7031 (o)
    617.571.8945 (m)
    Email Contact

    Bill Husted
    Aspect Security, Inc.
    Email Contact