[SC-L] Comparing Scanning Tools
The industry analyst take on tools tends to be slightly different than software practitioners at times. Curious if anyone has looked at Fortify and has formed any positive / negative / neutral opinions on this tool and others... * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Secure Application Protocol Design
Would love to see Gary address a couple of behaviors I have seen in my travel amongst architect types in corporate America especially the practice of secure application protocol design that isn't so secure. Is anyone writing/blogging deeply on this aspect? Likewise, there are many folks in corporate America that have not yet acknowledged that they shouldn't be playing part-time cryptographer and don't have the competency to design cryptographic primitives such as hash functions and algorithms to protect data. Does anyone know of any friendly articles that speak to this problem space? * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] SD Times
Hi all, I wrote an article for the SD Times about the state of the practice in software security. It was published Friday, just in time for the Software Security Summit East in Baltimore that starts tomorrow. You might ponder where your organization fits in the maturity levels mentioned at the end of the article: lone wolf, fire department, SDLC touchpoint integration. http://www.sdtimes.com/article/column-20060601-01.html Comments and feedback always welcome. gem www.cigital.com www.swsec.com This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] Comparing Scanning Tools
Fortify is a company with several products. Which product are you referring to? I've used some of thier products (and think highly of them), but I have not used all of them. What I like most about thier approach is they are trying to address all parts of the life cycle. The IDE plug-in enforces secure development at the point that code is written/changed. The scanner/workbench supports the build and audit processes. Other components work at runtime. Are they perfect? Honestly, I've not seen anything that is ever perfect. Are they good and getting better? I belive so. jt -Original Message- From: McGovern, James F (HTSC, IT) [EMAIL PROTECTED] To: sc-l@securecoding.org Date: Mon, 5 Jun 2006 16:50:17 -0400 Subject: [SC-L] Comparing Scanning Tools The industry analyst take on tools tends to be slightly different than software practitioners at times. Curious if anyone has looked at Fortify and has formed any positive / negative / neutral opinions on this tool and others... *** ** This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. *** ** ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php