--===============1664004964==
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C68BF3.086B16AC"
This message is in MIME format. Since your mail reader does not
understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C68BF3.086B16AC
Content-Type: text/plain
At the RSA Conference in February, I went to a reception hosted by
a group
called "Secure Software Forum" (not to be confused with the company
Secure
Software Inc, which offers a product competitive to Fortify). They
had a
panel session where representatives from a couple of companies not
in the
software/technology business claimed that they're making contractual
requirements in this area (i.e., that vendors are required to
assert as part
of the contract what measures they use to assure their code). So I
guess
there's proof by construction that companies other than Microsoft &
Oracle
care.
Having said that, it's completely at odds compared to what I see
working for
an ISV of a non-security product. That is, I almost never have
prospects/customers ask me what we do to assure our software. If it
happened
more often, I'd be able to get more budget to do the analysis that
I think
all vendors should do :-(
--Jeremy
P.S. Since Brian provided a link to a press release about Oracle using
Fortify, I'll offer a link about a financial services company using
Secure
Software: http://www.securesoftware.com/news/releases/20050725.html
<http://www.securesoftware.com/news/releases/20050725.html>
_____
From: [EMAIL PROTECTED] [mailto:sc-l-
[EMAIL PROTECTED]
On Behalf Of McGovern, James F (HTSC, IT)
Sent: Friday, June 09, 2006 12:10 PM
To: Secure Mailing List
Subject: RE: [SC-L] RE: Comparing Scanning Tools
I think I should have been more specific in my first post. I should
have
phrased it as I have yet to find a large enterprise whose primary
business
isn't software or technology that has made a significant investment
in such
tools.
Likewise, a lot of large enteprrises are shifting away from
building inhouse
to either outsourcing and/or buying which means that secure coding
practices
should also be enforced via procurement agreements. Has anyone here
ran
across contract clauses that assist in this regard?
-----Original Message-----
From: Gunnar Peterson [mailto:[EMAIL PROTECTED]
Sent: Friday, June 09, 2006 8:48 AM
To: Brian Chess; Secure Mailing List; McGovern, James F (HTSC, IT)
Subject: Re: [SC-L] RE: Comparing Scanning Tools
Right, because their customers (are starting to) demand more secure
code
from their technology. In the enterprise space the financial,
insurance,
healthcare companies who routinely lose their customer's data and
provide
their customers with vulnerability-laden apps have not yet seen the
same
amount of customer demand for this, but 84 million public lost
records later
( http://www.privacyrights.org/ar/ChronDataBreaches.htm)
<http://www.privacyrights.org/ar/ChronDataBreaches.htm)> this may
begin to
change.
-gp
On 6/9/06 1:45 AM, "Brian Chess" <[EMAIL PROTECTED]> wrote:
McGovern, James F wrote:
I have yet to find a large enterprise that has made a significant
investment in such tools.
I'll give you pointers to two. They're two of the three largest
software
companies in the world.
http://news.com.com/2100-1002_3-5220488.html
<http://news.com.com/2100-1002_3-5220488.html>
http://news.zdnet.com/2100-3513_22-6002747.html
<http://news.zdnet.com/2100-3513_22-6002747.html>
Brian
_____
_______________________________________________
Secure Coding mailing list (SC-L)
[email protected]
List information, subscriptions, etc - http://krvw.com/mailman/
listinfo/sc-l
<http://krvw.com/mailman/listinfo/sc-l>
List charter available at - http://www.securecoding.org/list/
charter.php
<http://www.securecoding.org/list/charter.php>
**********************************************************************
***
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information. If you are not the
intended
recipient, any use, copying, disclosure, dissemination or
distribution is
strictly prohibited. If you are not the intended recipient, please
notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
**********************************************************************
***
------_=_NextPart_001_01C68BF3.086B16AC
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Re: [SC-L] RE: Comparing Scanning Tools</TITLE>
<META content=3D"MSHTML 6.00.2900.2876" name=3DGENERATOR></HEAD>
<BODY>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>At the RSA Conference in February, I went
to a =
reception=20
hosted by a group called "Secure Software Forum" (not to be =
confused with=20
the company Secure Software Inc, which offers a product competitive
to=20
Fortify). They had a panel session where representatives from
a =
couple of=20
companies not in the software/technology business claimed that
they're =
making=20
contractual requirements in this area (i.e., that vendors are
required =
to assert=20
as part of the contract what measures they use to assure their =
code). So I=20
guess there's proof by construction that companies other than
Microsoft =
&=20
Oracle care.</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>Having said that, it's completely at odds =
compared to what=20
I see working for an ISV of a non-security product. That is, I =
almost=20
never have prospects/customers ask me what we do to assure our =
software. If it=20
happened more often, I'd be able to get more budget to do the
analysis =
that I=20
think all vendors should do :-(</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>--Jeremy</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>P.S. Since Brian provided a link to a press =
release about=20
Oracle using Fortify, I'll offer a link about a financial services =
company using=20
Secure Software: <A=20
href=3D"http://www.securesoftware.com/news/releases/
20050725.html">http:=
//www.securesoftware.com/news/releases/20050725.html</A></FONT></
SPAN></=
DIV><BR>
<BLOCKQUOTE=20
style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff
2px =
solid; MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> =
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] <B>On Behalf Of </
B>McGovern, =
James F=20
(HTSC, IT)<BR><B>Sent:</B> Friday, June 09, 2006 12:10 =
PM<BR><B>To:</B> Secure=20
Mailing List<BR><B>Subject:</B> RE: [SC-L] RE: Comparing Scanning=20
Tools<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D617262813-09062006>I=20
think I should have been more specific in my first post. I should =
have phrased=20
it as I have yet to find a large enterprise whose primary business =
isn't=20
software or technology that has made a significant investment in
such =
tools.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D617262813-09062006></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D617262813-09062006>Likewise, a lot of large enteprrises
are =
shifting=20
away from building inhouse to either outsourcing and/or buying
which =
means=20
that secure coding practices should also be enforced via
procurement=20
agreements. Has anyone here ran across contract clauses that
assist =
in this=20
regard?</SPAN></FONT></DIV>
<BLOCKQUOTE>
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> Gunnar
Peterson =
[mailto:[EMAIL PROTECTED]<BR><B>Sent:</B> Friday, June 09, =
2006 8:48=20
AM<BR><B>To:</B> Brian Chess; Secure Mailing List; McGovern,
James =
F (HTSC,=20
IT)<BR><B>Subject:</B> Re: [SC-L] RE: Comparing Scanning=20
Tools<BR><BR></FONT></DIV><FONT face=3D"Verdana, Helvetica, =
Arial"><SPAN=20
style=3D"FONT-SIZE: 12px">Right, because their customers (are =
starting to)=20
demand more secure code from their technology. In the enterprise =
space the=20
financial, insurance, healthcare companies who routinely lose
their =
customer’s data and provide their customers with =
vulnerability-laden apps=20
have not yet seen the same amount of customer demand for this,
but =
84=20
million public lost records later ( <A=20
=
href=3D"http://www.privacyrights.org/ar/
ChronDataBreaches.htm)">http://w=
ww.privacyrights.org/ar/ChronDataBreaches.htm)</A>=20
this may begin to change.<BR><BR>-gp<BR><BR><BR>On 6/9/06 1:45
AM, =
"Brian=20
Chess" <[EMAIL PROTECTED]> =
wrote:<BR><BR></SPAN></FONT>
<BLOCKQUOTE><FONT face=3D"Verdana, Helvetica, Arial"><SPAN=20
style=3D"FONT-SIZE: 12px">McGovern, James F
wrote:<BR><BR>> I =
have yet to=20
find a large enterprise that has made a significant
investment in =
such=20
tools. <BR><BR>I’ll give you pointers to two. =
They’re two of the=20
three largest software companies in the world.<BR><BR><A=20
=
href=3D"http://news.com.com/2100-1002_3-5220488.html";>http://
news.com.co=
m/2100-1002_3-5220488.html</A><BR><A=20
=
href=3D"http://news.zdnet.com/2100-3513_22-6002747.html";>http://
news.zdn=
et.com/2100-3513_22-6002747.html</A><BR><BR>Brian<BR><BR>
<HR align=3Dcenter width=3D"95%" SIZE=3D3>
</SPAN></FONT><FONT size=3D2><FONT face=3D"Monaco, Courier =
New"><SPAN=20
style=3D"FONT-SIZE: =
10px">_______________________________________________<BR>Secure=20
Coding mailing list (SC-L)<BR>[email protected]<BR>List =
information,=20
subscriptions, etc - <A=20
=
href=3D"http://krvw.com/mailman/listinfo/sc-l";>http://krvw.com/
mailman/l=
istinfo/sc-l</A><BR>List=20
charter available at - <A=20
=
href=3D"http://www.securecoding.org/list/charter.php";>http://
www.securec=
oding.org/list/charter.php</A><BR></SPAN></FONT></FONT></
BLOCKQUOTE><FON=
T=20
size=3D2><FONT face=3D"Monaco, Courier New"><SPAN=20
style=3D"FONT-SIZE: 10px"><BR></BLOCKQUOTE></SPAN></FONT></
FONT><FONT =
=
size=3D3><BR><BR>*****************************************************
**=
******************<BR>This=20
communication, including attachments, is<BR>for the exclusive use
of =
addressee=20
and may contain proprietary,<BR>confidential and/or privileged =
information. If=20
you are not the intended<BR>recipient, any use, copying,
disclosure,=20
dissemination or distribution is<BR>strictly prohibited. If you
are =
not the=20
intended recipient, please notify<BR>the sender immediately by
return =
e-mail,=20
delete this communication and<BR>destroy all=20
=
copies.<BR>***********************************************************
**=
************<BR></BLOCKQUOTE></FONT></BODY></HTML>
------_=_NextPart_001_01C68BF3.086B16AC--
--===============1664004964==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Secure Coding mailing list (SC-L)
[email protected]
List information, subscriptions, etc - http://krvw.com/mailman/
listinfo/sc-l
List charter available at - http://www.securecoding.org/list/
charter.php
--===============1664004964==--
