Should a security professional have a preference when both have different value propositions? While there is overlap, a static analysis tool can find things that pen testing tools cannot. Likewise, a pen test can report on secure applications deployed insecurely which is not visible to static analysis. So, the best answer is I prefer both... http://twitter.com/mcgoverntheory
________________________________ From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Matt Parsons Sent: Thursday, April 15, 2010 5:50 PM To: 'Matt Parsons'; SC-L@securecoding.org Cc: webapp...@securityfocus.com; owaspdal...@utdallas.edu; 'Webappsec Group' Subject: Re: [SC-L] What do you like better Web penetration testing orstatic code analysis? What do you like doing better as application security professionals, web penetration testing or static code analysis? I offered my thoughts in today's blog. http://parsonsisconsulting.blogspot.com/2010/04/what-do-you-like-better- secure-code.html Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office "Do Good and Fear No Man" Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com <mailto:mparsons1...@gmail.com> http://www.parsonsisconsulting.com <http://www.parsonsisconsulting.com> http://www.o2-ounceopen.com/o2-power-users/ <http://www.o2-ounceopen.com/o2-power-users/> http://www.linkedin.com/in/parsonsconsulting <http://www.linkedin.com/in/parsonsconsulting> http://parsonsisconsulting.blogspot.com/ <http://parsonsisconsulting.blogspot.com/> http://www.vimeo.com/8939668 <http://www.vimeo.com/8939668> ************************************************************ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************
<<image003.jpg>>
<<image004.jpg>>
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
