Here is a PoC I wrote in 2009 (post OunceLabs IBM acquisition) of a mini tool (with drag-n-drop support) that:
- Fired up scans of Ounce 6 and AppScan Developer (the two SAST engines that IBM had at the time)
- Imported both set of scan Findings to O2
- Created consolidated list of Findings (i.e. findings that existed in both sets of results)
- Showed consolidated Findings to user (with ability to open them in Ounce 6)
As with the OunceLabs WebScan Module this O2 Light - Dual Scan and Code Fix Tag module (downloadable from here) doesn't build in VisualStudio anymore, but I was able to get a couple screenshots from VisualStudio's Control Designer.
Here is where the consolidated results were shown:
The title of this module has two interesting clues: O2 Light - Dual Scan and Code Fix Tag
The O2 Light part was a first attempt at creating O2 Tools that were stand alone, smaller and single-task focused (this was 9 months before I developed the *.h2 scripts and 3 years before I created the O2 Stand-alone exes)
The 'Code Fix Tag' was a pretty cool feature that I was able to add to IBM Rational Software Analyzer (via an Eclipse Plug-in), where O2 Findings could be mapped to source code, and the developer exposed to recommended code-fixes directly on his IDE (Elipse).
The O2 Light - Dual Scan and Code Fix Tag GUI has a couple more details:
Note how this simple example showed 3 different tools (Ounce 6, AppScan Developer, Rational Software Analyzer) working together to create an environment where the developer's effort to fix security vulnerabilities was dramatically reduced.
This is the type of workflow that I described in my AppScan 2011 post, and one that when we get it right, will dramatically change how application security knowledge is created, distributed and consumed.