Ounce 6 provides static source code security analysis. It will analyse any application written in C/C++, Java/JSP, .NET (C#, VB .NET, ASP.NET), Classic ASP (VBScript, JavaScript) and Visual Basic 6. It provides a way to carefully examine any source code written in these languages for possible holes and vulnerabilities. These applications do not need to be web-based; any source code can be tested.
Ounce 6 is a simple install and it took us a few minutes to get the product up and running. However, the application console is a little tricky to navigate. It has tabs labelled configuration, triage and analysis. In Ounce 6, triage refers to the analysis and findings of the scan - not the usual use of the term. It usually refers to a step in incident response. Analysis is where the code can be analysed and repaired.
It took us some time to get the feel of this application, but when we did we found that it does have some serious power.
This product includes many tools to help remedy poorly written or vulnerable code. These are: the SlickEdit tool to help edit problem code; the remediation assistance view, which links to a knowledgebase for further explanation of vulnerabilities; and the SmartTrace view, which helps see the data flows. All help in managing code problems easily.
The only documentation we received with the product was a PDF evaluation guide. This guide outlined how to get Ounce 6 set up and provided a brief overview of the product features. It also included many screenshots and step-by-step instructions, but these were of overview value at best.
Ounce Labs provides full-featured support as part of an annual support licence fee. This offers technical support options, such as phone and email support, software updates and access to the online support portal. There is also a user forum available at no cost on the website.
At a price just over £21,000 before annual support fees, we find Ounce 6 to be average value for the money. While it does have some serious power for finding and editing problem code, it is a little difficult to use and would require some training on how to get the most out of it.