• HOME
• COMPANY
  • About Aspect
  • Customers
  • Management
  • Careers
  • Contact Us
• SERVICES
  • About Aspect’s Services
  • Assurance Services
    for your application security verifications
  • Acceleration Services
    for your application security initiatives
  • Education and Training
• NEWS
  • Events
  • Press Releases
  • News
• RESOURCES
  • OWASP
  • White Papers
  • Case Studies

FOR IMMEDIATE RELEASE

CONTACT:

Bill Husted Aspect Security, Inc. 301-604-4882 (o) 301-775-5545 (m) bill.husted@aspectsecurity.com

Aspect Security and Ounce Labs Publish Report on Validating the Security of Open Source Software
Case Study Documents Application Security Verification Process and
Offers Industry Guidance on Creating an Application Security Initiative

RSA Conference - San Jose, CA, Feb. 14, 2006

Aspect Security, the application security specialists, and Ounce Labs, the leader in software security assurance solutions today released “Opening the Black Box: A Source Code Security Analysis Case Study.” The report describes a detailed source code security review of a popular open source application, including how specific flaws may affect users, security trends of open source development, and guidelines that professionals should use for verifying the security of applications within their organization.

Primary authors of the publication are Jeff Williams, founder and CEO of Aspect Security and Chairman of the Open Web Application Security Project (OWASP) Foundation and Jack Danahy, founder and CTO of Ounce Labs. They document a detailed security verification of Azureus, the popular open source BitTorrent client, by Aspect’s team of application security experts supported by Ounce Labs’ advanced source code security analysis technology.

Aspect’s team used the output from the Ounce Labs tool as part of its unique application security verification process and documented details of the most critical vulnerabilities. This process is explained step-by-step in Opening the Black Box to give organizations guidance on how to implement a software security assurance initiative for their own applications.

“Our security verification of Azureus found it to be resilient to attacks for the most part, and security mechanisms have been well-implemented within the code,” said Williams. “Verification is not simply finding vulnerabilities. We used Azureus as a test case to demonstrate a cost-effective process for ensuring that applications are secure enough to trust with your business. These efforts also provide tremendous insight into your organization’s capability to produce secure code.”

“This report demonstrates a process proven to successfully reduce enterprise risk caused by insecure software, although the vast majority of companies have almost no insight into how secure their applications are,” said Danahy. “Layers and layers of network security are worthless if application flaws and policy violations expose critical data to attack. We are presenting a way to remove software risks that companies can begin implementing immediately.”

Opening the Black Box: A Source Code Security Analysis Case Study is available free to the public at http://www.aspectsecurity.com/papers/openbox.

The Azureus Team volunteered their application as a test subject for this project. Their support during the process and permission to publish our results is greatly appreciated.

About Aspect Security, Inc.

Aspect Security, the application security specialists, delivers third-party security analysis, code review, and testing to verify the strengths and weaknesses of web applications, web services, and other software. Aspect also appraises an organization’s capability to develop, operate, and maintain applications securely. Aspect has verified hundreds of millions of lines of code for mission critical applications and has trained thousands of developers and managers to build and test secure applications. Aspect served as the authors of the OWASP Top Ten Web Application Vulnerabilities. Aspect’s core team has been providing application security services for over eight years, since before application security was a mainstream issue. Aspect is privately held and headquartered in Columbia, Maryland. To contact Aspect Security, call 301-604-4882, visit us on the Web at http://www.aspectsecurity.com, or write to info@aspectsecurity.com.

About Ounce Labs, Inc.

Ounce Labs, the leader in software security assurance, delivers products that allow customers to verify that software meets their defined security requirements. Ounce Labs’ enterprise-level automated source code analysis provides reliable vulnerability metrics necessary to manage software risk, enforce security policies, enhance audit capabilities, and track compliance efforts. Based on patents-pending Contextual Analysis technology, Ounce Labs’ products also pinpoint specific software design errors and coding flaws to simplify remediation during any phase of the development lifecycle. Founded in 2002, Ounce Labs is located in Waltham, Massachusetts. For more information, please visit www.ouncelabs.com.

About Azureus

“Azureus is a BitTorrent Java client. The BitTorrent protocol is a new way of exchanging or distributing data over the internet (see http://bitconjurer.org/BitTorrent/introduction.html). Downloading also means uploading, and the amounts of each are linked, to ensure fairness and rapidity in the spread of the file at hand. To be able to download a file, you first need to get the associated .torrent file. This file, usually a dozen KB in size, is the “signature” of the much bigger file to be downloaded, and it needs a software to be read properly. Azureus is such software. If you want to host files yourself, you need a tracker, which is basically a central server coordinating the connections between peers. Azureus can provide a tracker too.” Source azureus.sourceforge.net.