Greetings all, FYI, it looks like we're at the beginning of a new wave of software security tools. There's a few commercial products beginning to hit the market that take static src code scanning to a new level. See the link below for a LinuxWorld article that briefly (!) describes @stake's new SmartRisk Analyzer tool in addition to Fortify's Source Code Analysis suite. These appear to pick up where current static analysis tools (e.g., ITS4, Flawfinder) leave off.
Anyone here willing/able to share some _user_ level experiences with any of these tools? It'll be interesting to hear how they hold up in real software development environments. http://www.linuxworld.com.au/nindex.php/id;1780700095;fp;2;fpid;1 Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
