In this discussion:
| This is a perfect example of how a source code analysis tool failed,
| because you let a developer tell it to NOT scan it. :) I wonder if
| there are flags like that in Fortify?
There are flags like that in *every* source code scanner I know of. The
state of the art is
Hey there,
If you couldn't insert ignore directives, many people
wouldn't use such tools at all, and would release code with
vulnerabilities that WOULD be found by such tools.
Of course, much like an IDS, you have to find the baseline and adjust your
ruleset according to the norm, if it
On Thu, 28 Jun 2007, J. M. Seitz wrote:
| Hey there,
|
| If you couldn't insert ignore directives, many people
| wouldn't use such tools at all, and would release code with
| vulnerabilities that WOULD be found by such tools.
|
| Of course, much like an IDS, you have to find the baseline
On the comment:
| I am not disagreeing with the fact the static source analysis is a
| good thing, I am just saying that this is a case where it failed (or
| maybe the user/developer of it failed or misunderstood it's use). Fair
| enough that on this particular list you are going to defend
I was thinking, Instead of the next frontier, how about another
frontier? Many software vendors pretend that the entire world is either
Java or .NET without acknowledging that all of the really good data in
many enterprises is sitting on a big ugly mainframe running COBOL, IMS,
PL/1, etc. It is
Would Fortify consider making their schema open source and donating it
to OWASP? Likewise, would Ouncelabs, coverity and others be willing to
adapt their product to it?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paco Hope
Sent: Wednesday, June
Jerry Leichter commented on flaws in scanning tools but I have a
different question. Lots of folks love to attack MS while letting other
vendors off the hook.Is there merit in terms of comparing vendor
offerings within a particular product line. For example is EMC's
Documentum product more secure
