Gary McGraw wrote:
Hi all (especially david),
The story you repeated about ITS4 finding a vulnerability
that can't happen is wrong.
The tool FIST (a fault injection tool for security) which we decribed
in an Oakland paper from 1998 was what you were thinking of.
(FIST was also produced
Crispin Cowan wrote:
I would like to introduce you to my new kick-ass scanning tool. You run
it over your source code, and it only produces a single false-positive
for you to check out. That false positive just happens to be the
complete source code listing for your entire program :)
If you
Title: Re: [SC-L] RE: Comparing Scanning Tools
I
think I should have been more specific in my first post. I should have phrased
it as I have yet to find a large enterprise whose primary business isn't
software or technology that has made a significant investment in such
tools.
Likewise
Title: Re: [SC-L] RE: Comparing Scanning Tools
At the RSA Conference in February, I went to a reception
hosted by a group called "Secure Software Forum"(not to be confused with
the company Secure Software Inc, which offers a product competitive to
Fortify). They had a panel ses
At 2:32 PM -0400 6/9/06, Jeremy Epstein wrote:
Having said that, it's completely at odds compared to what I see working
for an ISV of a non-security product. That is, I almost never have
prospects/customers ask me what we do to assure our software.
I don't even get those questions for our