James, and all list please apologies for my bad english usage. Looking at your reply I understood I espressed my thoghuts playing bad with words.
By saying that vendors has to follow developer licensing, I intended that in my opinion is good that vendors still build tool to aid developers not only executives as some mail in this thread would suggest. I do agree that tool designed to assist developers in writing secure code has to be free and open. I'm writing one of this tool, indeed it's a framework to build such tools but it's not an important different in this topic. I think that an open source approach is the winning here not just for saving money in buying tools but for the widespread knowledge shared among developers and security experts writing the tool itself. Sorry for my firmer mail that doesn't show correctly what is my opinion. The framework for code review tool I'm writing is an owasp project, hosted at sourceforge: http://orizon.sourceforge.net Ciao ciao thesp0nge On 6/8/07, McGovern, James F (HTSC, IT) <[EMAIL PROTECTED]> wrote: > In a previous thread someone appropriately commented that perspectives in > this space differ depending upon whether you are a software vendor, > government customer or enterprise. I do not disagree that developers need to > know how to fix their code. What I am saying is that tools to assist > developers in writing better could should be free. > > Your quote "*imho* vendor has to follow developer licensing" is where I think > it will harm the goals of secure coding at large. Consider the trend within > the industry that tools for software development are essentially becoming > free. No one pays for IDEs (rare exceptions) when things like Eclipse and > Visual Studio have free versions. > > Enterprise folks however will pay lots of money for tools in the auditing > space that help them to quantify risk. The ability to scan large multiple > code bases is a different product/problem than scanning while writing code in > an IDE. I am saying that more money could be had if folks focus on the first > and not the later. Vendors who get it twisted by focusing on the number of > developers are dillusional and should ask themselves why aren't but a select > few of any enterprise pervasively deploying tools to developers. > > Give away the developer tools in the same way Microsoft does and you will > accelerate your potential sales from the bottom up. Not all sales within > places are driven top down... > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Paolo Perego > Sent: Friday, June 08, 2007 5:40 AM > To: McGovern, James F (HTSC, IT) > Cc: Secure Coding > Subject: Re: [SC-L] Perspectives on Code Scanning > > Hi there, I found this thread very interesting. > It's true that developers are the ones who remediate to code > insecurity and executives care about how much effort has to be spent > over closing branches. Indeed I think the two categories needs a tool > approaching the same problem (tell if a code follows security best > practices or not) showing results in 2 "different" languages. > > Developers need how to know how to fix their code. Executives need to > know how much these fixes cost, who will attend them and in how many > time fixes will be committed. > > *imho* vendor has to follow developer licensing... since developer do > knows ho to write code but he has to be helped in writing it in a > secure way. > > Safe coding is a concern for both developers than executives. > My 2 euro cents > > Ciao ciao > thesp0nge > -- > Owasp Orizon leader > orizon.sourceforge.net > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > > > ************************************************************************* > This communication, including attachments, is > for the exclusive use of addressee and may contain proprietary, > confidential and/or privileged information. If you are not the intended > recipient, any use, copying, disclosure, dissemination or distribution is > strictly prohibited. If you are not the intended recipient, please notify > the sender immediately by return e-mail, delete this communication and > destroy all copies. > ************************************************************************* > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > -- Owasp Orizon leader orizon.sourceforge.net _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
