All, I followed this article up with a blog entry, more targeted at adopting organizations. I hope you find it useful:
http://www.cigital.com/justiceleague/2011/02/02/if-its-so-hard-why-bother/ ---- John Steven Senior Director; Advanced Technology Consulting Desk: 703.404.9293 x1204 Cell: 703.727.4034 Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908 Blog: http://www.cigital.com/justiceleague Papers: http://www.cigital.com/papers/jsteven http://www.cigital.com Software Confidence. Achieved. > hi sc-l, > > John Steven and I recently collaborated on an article for informIT. The > article is called "Software [In]security: Comparing Apples, Oranges, and > Aardvarks (or, All Static Analysis Tools Are Not Created Equal)" and is > available here: > > http://www.informit.com/articles/article.aspx?p=1680863 > > > Now that static analysis tools like Fortify and Ounce are hitting the > mainstream there are many potential customers who want to compare them and > pick the best one. We explain why that's more difficult than it sounds at > first and what to watch out for as you begin to compare tools. We did this > in order to get out in front of "test suites" that purport to work for tool > comparison. If you wonder why such suites may not work as advertised, read > the article. > > Your feedback is welcome.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
