Thanks for the feedback and link (as well as to those who have replied off line). Note, I did not intend that the 5 tools I listed were exhaustive, just trying to get an idea what works in the field and wanted to get the ball rolling. Any other candidates out there? Flawfinder, anyone?
-gp Quoting "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>: > You seem to be leaving out one of the largest open efforts at security. > ISECOM at http://www.isecom.org covers security testing, secure coding, > incident response and other security related topics. > > -----Original Message----- > From: Gunnar Peterson > Date: 4/19/05 6:32 am > To: Secure Coding Mailing List > Subj: [SC-L] Doing something about software security > > I was thinking about something that Dave Winer said on the Gillmor Gang > about how the software industry moves forward when small groups (like 1 > or 2) of developers get motivated to solve a problem. I was wondering > how this applies to software security, since it seems like a perfect > description for what seems to have motivated Phil Zimmermann to write > PGP. > > In information security, we seem to have a preponderance of ideas and > technologies from vendors and academia, but relatively less (compared > to the software space) amount of grassroots efforts by small groups of > developers making incremental improvements. There are probably a couple > of reasons for this, first security tends to be a system property, so > it can be difficult to deal with this incrementally. Secondly, security > is sort of invisble, e.g. in normal app development work you code a lot > and then *something* happens, your web server is suddenly multithreaded > and can handle tons more volume of requests. In security, you work > really hard, write a lot of code and then something doesn't happen. > > Does anyone have candidates for grassroots efforts targeted at software > security and secure coding? Not necessarily required to be open source > (though I would expect most of them to be), but a low barrier to entry > for developers to use, e.g. free. I have started a list including: > > * mod_security > * RATS > * OWASP (Standards and tools) > * Legion of the Bouncy Castle > * Microsoft's Threat Modeling Tool > > Any other nominations? > > -gp