Yes. https://my.fortifyondemand.com/login.jsp ;)
For those who want to become part of the ACS security team, contact the PPMC. We don't have a formal process to accept new members, but I do want to manage who has access in case of sensitive info in the future. Stratosec<http://stratosec.co/> - Secure Infrastructure as a Service o: 415.315.9385 @johnlkinsella<http://twitter.com/johnlkinsella> On Dec 4, 2012, at 10:34 AM, Demetrius Tsitrelis <demetrius.tsitre...@citrix.com<mailto:demetrius.tsitre...@citrix.com>> wrote: At the conference you showed a URL with the results. Is that publicly available? -----Original Message----- From: John Kinsella [mailto:j...@stratosec.co] Sent: Tuesday, November 20, 2012 11:53 AM To: cloudstack-dev@incubator.apache.org<mailto:cloudstack-dev@incubator.apache.org> Subject: Re: Static Analysis Tools Allow me to clarify my previous statement - Fortify has such a program, as well, and they've given me a license to scan ACS for this purpose. What you run into with this, is i don't think you want a security scanner as part of the build process for several reasons: * They're slow. * Unless a human reviews the results, they're pretty much useless. So you've just burning CPU cycles. * If an issue is found, I don't think we want it publicly available on something like Jenkins, but to be reviewed and handled by a security team (which for now is the PPMC) and then announce it in a controlled manner. Happy to discuss these points at any level of detail, or add people to the security team if there's interest. :) John ps we've been meaning to have a security discussion on the list, I suspect this thread will accelerate that... On Nov 20, 2012, at 11:39 AM, Animesh Chaturvedi <animesh.chaturv...@citrix.com<mailto:animesh.chaturv...@citrix.com>> wrote: I have used Coverity in the past for commercial projects with very good success. I did a quick google search and looks like Coverity has a program for open source software quality which can potentially leveraged for CloudStack. Here is the link http://scan.coverity.com/getting-started.html -----Original Message----- From: John Kinsella [mailto:j...@stratosec.co] Sent: Tuesday, November 20, 2012 11:12 AM To: cloudstack-dev@incubator.apache.org Subject: Re: Static Analysis Tools Additionally I (and others) run ACS through Fortify Source Code Analyzer. Personally I think findbugs is a bit of a toy, but anything helps... John On Nov 20, 2012, at 10:44 AM, David Nalley <da...@gnsa.us> wrote: On Tue, Nov 20, 2012 at 1:36 PM, Animesh Chaturvedi <animesh.chaturv...@citrix.com> wrote: Folks I want to get your opinion on using static analysis tools like PMD for CloudStack to catch some of the bugs early on. Maven has a plugin for PMD http://maven.apache.org/plugins/maven-pmd-plugin/ Thanks Animesh So we have Sonar (analysis.apache.org) sorta in place - doesn't mean we can't do something else, but this exists. https://analysis.apache.org/dashboard/index/100206 --David Stratosec - Secure Infrastructure as a Service o: 415.315.9385 @johnlkinsella Stratosec - Secure Infrastructure as a Service o: 415.315.9385 @johnlkinsella
