From the 'static analysis is your friend' files:

IBM has been busy today - they acquired metrics vendor SPSS for $1.2 billion - and oh yeah they also bought Ounce Labs.

Financial terms of the deal have not been disclosed - Ounce is privately held.

Ounce is a static analysis vendor and will fill in a key part of IBM's Rational portfolio in my opinion.

Back in 2007, IBM acquired Watchfire and their AppScan web application security technology. As far as I know, AppScan does not do static analysis and I don't think that static analysis is something that IBM Rational has ever been known for.

Static analysis is a critical type of software testing that looks at code level software defects.  Static code analysis,  typically involves a data-flow analysis that looks for defects along a code path.

Some of the competitive vendors (again my view) in the static spare are Coverity who just recently helped to plug a Linux kernel vulnerability thanks to static analysis. Other vendors include Klocwork and Fortify.

The plan is to integrate Ounce into the IBM Rational AppScan product family which will now give IBM a more robust code to production, portfolio of software development, analysis and security solutions. It's a tall order but with all the assets that IBM now has, there can be little (if any) doubt that IBM is very serious about the business of security at all stages of IT.