Data Theft: Protecting Data From the Inside Out

The ongoing epidemic of data breaches and the resulting notification requirements forced by today's data breach disclosure laws and compliance standards has painfully highlighted the insecurity of many of today's applications. How, then, can organizations ensure their applications are secure, and avoid the cost and public relations fallout - not to mention stock price downturn - inherent in issuing numerous security patches, or worse, having to explain to consumers and regulators how code defects allowed attackers to steal people's sensitive and perhaps regulated information?

Historically, organizations have focused on one of the following two approaches to securing their software:

• Manual Security Code Review which, while providing a thorough analysis, has issues of efficiency, repeatability, reliability and cost, while also requiring highly skilled security expertise.
• Penetration Testing which is only focused on web front ends and exposed interfaces. Pen testing is considered an "Outside, In" approach, and requires a functionally complete application to analyze, so it cannot be built into the SDLC process.

While both of these approaches have their value, automated software risk analysis tools such as those offered by Ounce Labs now allow companies to approach secure code development in a more systematic, automated, and predictable manner. These tools greatly improve the speed and accuracy of code review, and may be integrated seamlessly into the development lifecycle, precisely locating vulnerabilities in the line of code and providing detailed information about the type of flaw, the risk it poses, and how to fix it. Additionally, only automated analysis tools provide the ability to consistently manage vulnerability remediation and track progress over time.

Ounce provides organizations with:

• Precise results: Ounce offers confirmed vulnerabilities across the broadest range of security risks.
• The most rapid time-to-results: The out-of-the-box experience is unmatched by other tools, providing a rapid, streamlined process from installation to results.
• Specific Compliance Reports: The Ounce SmartAudit reporting templates provide executives and managers with specific information to prove compliance with leading standards and regulations such as the OWASP Top 10 and PCI.

By eliminating vulnerabilities at the root cause, rather than attempting to protect against exploits at the perimeter, this approach to application defense best ensures that the application will not compromise, or allow others to compromise, data privacy and data integrity.