Most recently, we have met with a variety of vendors including but not limited to: Coverity, Ounce Labs, Fortify, Klocwork, HP and so on. In the conversation they all used interesting phrases to describe they classify their competitors value proposition. At some level, this has managed to confuse me and I would love if someone could provide a way to think about this in a more boolean way.
- So when a vendor says that they are focused on quality and not security, and vice versa what exactly does this mean? I don't have a great mental model of something that is a security concern that isn't a predictor of quality. Likewise, in terms of quality, other than producing metrics on things such as depth of inheritance, cyclomatic complexity, etc wouldn't bad numbers here at least be a predictor of a bad design and therefore warrant deeper inspection from a security perspective? - Even if the rationale is more about people focus rather than tool capability, is there anything else that would prevent one tool from serving both purposes? - Is it reasonable to expect that all of the vendors in this space will have the ability to support COBOL, Ruby and Smalltalk sometime next year so that customers don't have to specifically request it? - Do the underlying compilers need to do something different since languages such as COBOL aren't object-oriented which would make analysis a bit different? ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
