TECHNICAL FAQ'S:


What is Contextual Analysis™?

Ounce Labs' patented Contextual Analysis technology allows source code to be automatically analyzed in a depth and level of detail never before possible. The context in which a call is used determines whether or not it is truly vulnerable. Ounce determines vulnerabilities by tracking the flow of data through an application, using cross-module, cross-language, semantic and data flow analysis to deliver the most complete understanding of your software risk. This unique source code analysis technology enables the Ounce product to understand the complex interrelationships between individual calls, modules, data elements, and processes.

How does Contextual Analysis work?

Ounce automatically analyzes source code through the use of a language processor, which parses the application to create a Common Intermediate Security Language (CISL). The CISL captures multi-dimensional information about each call site, allowing Ounce to refine vulnerability data through three different levels of analysis.

Does Ounce provide call graph tracing?

Yes, Ounce's SmartTrace™ technology traces the flow of data throughout an application, across modules and languages, displaying the paths of potentially dangerous data in a call graph and indicating areas where an application may be susceptible to Web application vulnerabilities.

What is SmartTrace?

Ounce's SmartTrace™ capability helps customers defeat SQL Injection, cross-site scripting, and other input validation attacks by identifying the lack of approved input validation and encoding routines in web applications. Customers can interactively trace the entire call graph, clicking directly from the SmartTrace window to view the source in the IDE or code editor of your choice. SmartTrace also enables policy enforcement at the click of a mouse, allowing you to identify approved routines required for proper input validation and encoding and include them in future assessments.

Can I set my own security policies and include custom software vulnerabilities in the analysis?

Yes. Through the Knowledgebase Editor, customers may tailor the Security Knowledgebase to specific security and policy standards, applying those standards consistently across the enterprise. From the SmartTrace interface, customers may right-click to identify and include validation routines in the source code for inclusion in future analyses.

What programming languages does the Ounce Solution analyze?

Ounce analyzes Java, JSP, C, C++, C#, ASP.NET, VB .NET, Classic ASP (JavaScript/VBScript), and Visual Basic 6 written on Windows, Solaris, Linux, and AIX platforms.

Do you function as a plug-in?

With Ounce, we offer plug-ins for Microsoft Visual Studio and Eclipse. The Ounce Developer Plug-ins, whose licenses are free, allow organizations to maximize the impact of remediation efforts at the earliest and least costly stage of the life cycle.

Does Ounce integrate with defect tracking systems (DTS)?

Yes, Ounce is tightly integrated with leading defect tracking systems to deliver confirmed software vulnerabilities directly to the developer desktop. Ounce will feature integration with IBM Rational ClearQuest.

How long does an Ounce Labs analysis take?

With Ounce's unique optimized compiler-based analysis technology, Ounce is extremely economical, both in terms of cost and time required to analyze source code.

Does Ounce automatically fix the software vulnerabilities it locates?

Only Ounce separates real vulnerabilities from potential ones, allowing security analysts, QA teams, and developers to click instantly to confirmed vulnerabilities for focused remediation efforts. Ounce additionally sorts results by severity (high, medium, low) as well as by type (buffer overflow, race condition, privilege escalation, etc.), and the Security Knowledgebase offers suggestions to the developer for correcting the vulnerability or exception. Ounce allows the developer to make the choice to correct or modify the code on a case by case basis as the developer typically understands more about the desired behavior of the application.

Will Ounce help me find vulnerabilities in my prepackaged suite of applications?

Ounce requires access to the source code of an application to discover potentially exploitable vulnerabilities, something that is not possible with most shrink-wrapped software packages. Ounce can be used to scan any open-source product, or to assess the security state of any source code available to your organization.

Back to Top