Ounce Labs 5.0

The application approaches application vulnerability assessment by statically analysing source code and supports many different languages, including C/C++, Java/JSP,.NET (C#, VB.NET, ASP.NET) Classic ASP (VB and Javascript) and Visual Basic.

We found installation a bit challenging at times. Plug-ins are an option at the initial installation screen, but revisiting these options after the base installation was completed meant re-installing the entire product. Ounce installs on many Windows-based operating systems as well as Solaris and Red Hat. Support for different compilers is included, and plug-ins for RAD, Eclipse and Visual Studio are optional.

The main components are the Ounce Portfolio Manager, a web-based dashboard, and the Security Analyst, where most of the configuration and assessment work is performed. Because the product contains many different features and perspectives, the Security Analyst window may contain a large amount of information at any one time and often feels cluttered. It is based on three primary views that reflect configuration, triage and analysis respectively.

The product performed very well in our testing and found numerous vulnerabilities in our test source code. Once an assessment project is completed, the results can be pushed to its web-based dashboard for a more user-friendly dashboard view. From a design perspective, the two components appear very different, giving the overall solution a slightly lopsided feel when switching between the two.

Documentation is helpful, but we would have liked to see more screenshots. Help is also only launched from within the application, as standalone PDF files had to be retrieved directly from the install folders and are not displayed in the start menu for Windows installations.

Pricing for Ounce Labs 5.0 is based on an annual license. Cost is US$1,500. Perpetual licenses are available for US$2,750. Gold level support is available for 20 percent of the net product fee.

The Ounce Labs support site does list a support phone number and hours of operation, but the searchable knowledge base only contained three entries at the time of testing.