Re: [SC-L] IBM Acquires Ounce Labs, Inc.
"smaller guys" end up growing and filling niches. For > instance, I've heard that one smaller player crawls every bit as well as a > major player, and *much* better than the other major player, but while > costing considerably less than either. NTO reps, feel free to spam me (me, > not the list). > > I will say this: Chris I'm completely with you in that I'm convinced that the > majority of the market buying scanners is not doing so based on any objective > empirical testing, but rather on "who found what" or what they "like". I'm > even saddened to say that I recently saw a presentation by an organization > tasked and paid to perform objective empirical analysis of scanners, that > literally ranked them based on what they found, with absolutely no testing > ground truth. > > I'm even more strongly convinced that the majority of those running these > tools completely underestimate the expertise required to properly operate > them and realize full potential from them. Given the complexity of testing > software these days you still really need to know what you're doing to eak > out of them what little value they hold. Even with realizing their full > potential, however, there's still a lot of work to be done beyond a scan to > perform anything resembling a complete assessment. Of course, a human > assisted SaaS model has the potential to fill the gap, but from what I'm the > majority of organizations using scanners like WI and AS in-house don't. Heck, > even some really big name firms selling rather expensive fancily marketed > assessments don't. > > Shame, really. > > -Matt. > > > -Original Message- > From: Chris Wysopal [mailto:cwyso...@veracode.com] > Sent: Tuesday, August 04, 2009 8:54 PM > To: Arian J. Evans; Matt Fisher > Cc: Kenneth Van Wyk; Secure Coding > Subject: RE: [SC-L] IBM Acquires Ounce Labs, Inc. > > > I wouldn't say that NTO Spider is a "sort of" dynamic web scanner. It is a > top tier scanner that can battle head to head on false negative rate with the > big conglomerates' scanners: IBM AppScan and HP WebInspect. Larry Suto > published an analysis a year ago, that certainly had some flaws (and was > rightly criticized), but genuinely showed all three to be in the same league. > I haven't seen a better head-to-head analysis conducted by anyone. A little > bird whispered to me that we may see a new analysis by someone soon. > > As a group of security practitioners it is amazing to me that we don't have > more quantifiable testing and tools/services are just dismissed with > anecdotal data. I am glad NIST SATE '09 will soon be underway and, at least > for static analysis tools, we will have unbiased independent testing. I am > hoping for a big improvement over last year. I especially like the category > they are using for some flaws found as "valid but insignificant". Clearly > they are improving based on feedback from SATE '08. > > Veracode was the first company to offer static and dynamic (web) analysis, > and we have been for 2 years (announced Aug 8, 2007). We deliver it as a > service. If you have a .NET or Java web app, you would cannot find a > comparable solution form a single vendor today. > > -Chris > > -Original Message- > From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On > Behalf Of Arian J. Evans > Sent: Tuesday, July 28, 2009 1:41 PM > To: Matt Fisher > Cc: Kenneth Van Wyk; Secure Coding > Subject: Re: [SC-L] IBM Acquires Ounce Labs, Inc. > > Right now, officially, I think that is about it. IBM, Veracode, and > AoD (in Germany) claims they have this too. > > As Mattyson mentioned, Veracode only does static binary analysis (no > source analysis). They offer "dynamic scanning" but I believe it is > using NTO Spider IIRC which is a simplified scanner that targets > unskilled users last I saw it. > > At one point I believe Veracode was in discussions with SPI to use WI, > but since the Veracoders haunt this list I'll let them clarify what > they use if they want. > > So IBM: soon. > > Veracode: sort-of. > > AoD: on paper > > And more to come in short order no doubt. I think we all knew this was > coming sooner or later. Just a matter of "when". > > The big guys have a lot of bucks to throw at this problem if they want > to, and pull off some really nice integrations. Be interesting to see > what they do, and how useful the integrations really are to > organizations. > > -- > Arian Evans > > > > > > On Tue, Jul 28, 2009 at 9:29 AM, Matt Fisher w
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
>I think anyone who has experience with deep dynamic testing knows they >need automation tools with custom configuration ability, the ability to >record workflow, a framework to create custom tests, etc. Absolutely. But Arian there are differing deployment models. You don't just touch an application once in it's life and leave it, right ? You're doing architecture reviews, reviewing the functional requirement and RBACs, reviewing code, doing integrated security testing, doing a final validation (or as a friend once put it over drinks " the big giant pen-test"). For any of those activities, you need real live, experienced skilled testers. Once it goes live, however, you may very well have a SOC, NOC, or even "security" team who is tasked with the continual scanning and "monitoring" of their space who's goal is to touch everything - however lightly - at least once very x days. For this type of scenario where bulk scalability counts over quality - AND A QUALITY ASSESSMENT AND VALIDATION WAS ALREADY PERFORMED- I would suggest a scanner monkey may be appropriate. Of course you would NEVER want that to be your ONLY assessment or validation. Chris, SPI had a product called DevInspect that performed static and dynamic analysis as a single product, and was definitely around before Aug '07. Not saying it was red-hot, just saying it was there. I'd like to see NTO. Given the slower dev times of the larger companies and begrudgingly slow addition of core capabilities to them, I'm really hoping that some of the "smaller guys" end up growing and filling niches. For instance, I've heard that one smaller player crawls every bit as well as a major player, and *much* better than the other major player, but while costing considerably less than either. NTO reps, feel free to spam me (me, not the list). I will say this: Chris I'm completely with you in that I'm convinced that the majority of the market buying scanners is not doing so based on any objective empirical testing, but rather on "who found what" or what they "like". I'm even saddened to say that I recently saw a presentation by an organization tasked and paid to perform objective empirical analysis of scanners, that literally ranked them based on what they found, with absolutely no testing ground truth. I'm even more strongly convinced that the majority of those running these tools completely underestimate the expertise required to properly operate them and realize full potential from them. Given the complexity of testing software these days you still really need to know what you're doing to eak out of them what little value they hold. Even with realizing their full potential, however, there's still a lot of work to be done beyond a scan to perform anything resembling a complete assessment. Of course, a human assisted SaaS model has the potential to fill the gap, but from what I'm the majority of organizations using scanners like WI and AS in-house don't. Heck, even some really big name firms selling rather expensive fancily marketed assessments don't. Shame, really. -Matt. -Original Message- From: Chris Wysopal [mailto:cwyso...@veracode.com] Sent: Tuesday, August 04, 2009 8:54 PM To: Arian J. Evans; Matt Fisher Cc: Kenneth Van Wyk; Secure Coding Subject: RE: [SC-L] IBM Acquires Ounce Labs, Inc. I wouldn't say that NTO Spider is a "sort of" dynamic web scanner. It is a top tier scanner that can battle head to head on false negative rate with the big conglomerates' scanners: IBM AppScan and HP WebInspect. Larry Suto published an analysis a year ago, that certainly had some flaws (and was rightly criticized), but genuinely showed all three to be in the same league. I haven't seen a better head-to-head analysis conducted by anyone. A little bird whispered to me that we may see a new analysis by someone soon. As a group of security practitioners it is amazing to me that we don't have more quantifiable testing and tools/services are just dismissed with anecdotal data. I am glad NIST SATE '09 will soon be underway and, at least for static analysis tools, we will have unbiased independent testing. I am hoping for a big improvement over last year. I especially like the category they are using for some flaws found as "valid but insignificant". Clearly they are improving based on feedback from SATE '08. Veracode was the first company to offer static and dynamic (web) analysis, and we have been for 2 years (announced Aug 8, 2007). We deliver it as a service. If you have a .NET or Java web app, you would cannot find a comparable solution form a single vendor today. -Chris -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
Steve, I definitely agree that not using the tools were a big limitation -- especially because the web interface wasn't as interactive and powerful as tool GUIs. But for me, we had a hard time with using a consistent and actually, meaningful scoring: - What is a false-positive? - How important is this particular finding? This was to me one of the most important limitations since eventually we had most of the traces from the different tools. As Chris said, most of these problems should be addressed in the next SATE, and I hope many tool vendors will be in again :) Romain > -Original Message- > From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On > Behalf Of > Steven M. Christey > Sent: Wednesday, August 05, 2009 1:24 PM > To: Chris Wysopal > Cc: Secure Coding > Subject: Re: [SC-L] IBM Acquires Ounce Labs, Inc. > > > On Tue, 4 Aug 2009, Chris Wysopal wrote: > > > As a group of security practitioners it is amazing to me that we don't > > have more quantifiable testing and tools/services are just dismissed > > with anecdotal data. I am glad NIST SATE '09 will soon be underway and, > > at least for static analysis tools, we will have unbiased independent > > testing. I am hoping for a big improvement over last year. I especially > > like the category they are using for some flaws found as "valid but > > insignificant". Clearly they are improving based on feedback from SATE > > '08. > > By the way, I don't recall anybody mentioning this to SC-L before, but the > SATE 2008 writeup and raw data are available: > > http://samate.nist.gov/index.php/SATE.html > > In the NIST pub we cover a lot of lessons learned, especially in my paper. > >From the raw data you can see the complexities in doing this kind of > large-scale comparison. In my opinion, our biggest limitation was not > using live tools. > > - Steve > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
On Wed, 5 Aug 2009, Romain Gaucher wrote: > But for me, we had a hard time with using a consistent and actually, > meaningful scoring: > - What is a false-positive? > - How important is this particular finding? For those on this list, I cover these in some detail in my paper within the NIST document. > This was to me one of the most important limitations since eventually we > had most of the traces from the different tools. ... and I did create my own program to take the traces and make them somewhat usable, but it was still slower than using the live tools. Also, that didn't help with constructs like: sprintf("%s%s", a, b); where the tool was flagging 'a' and I thought it was flagging 'b'. > As Chris said, most of these problems should be addressed in the next > SATE, and I hope many tool vendors will be in again :) So do I!! It would be nice to have a much cleaner data set to work with. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
On Tue, 4 Aug 2009, Chris Wysopal wrote: > As a group of security practitioners it is amazing to me that we don't > have more quantifiable testing and tools/services are just dismissed > with anecdotal data. I am glad NIST SATE '09 will soon be underway and, > at least for static analysis tools, we will have unbiased independent > testing. I am hoping for a big improvement over last year. I especially > like the category they are using for some flaws found as "valid but > insignificant". Clearly they are improving based on feedback from SATE > '08. By the way, I don't recall anybody mentioning this to SC-L before, but the SATE 2008 writeup and raw data are available: http://samate.nist.gov/index.php/SATE.html In the NIST pub we cover a lot of lessons learned, especially in my paper. >From the raw data you can see the complexities in doing this kind of large-scale comparison. In my opinion, our biggest limitation was not using live tools. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
Kevin -- excellent points. Starting on top: + this is happening... (really!) + "dynamic scanning" vendors are getting together to add/share more data-points and lessons with: ++ WAF vendors ++ static-analysis automation vendors ++ consultants doing Pen-Testing, static analysis, threat modeling, source reviews, etc. It is all fresh and fairly immature, but I expect it to evolve quickly. So don't give up hope yet :) I do not see dynamic "scanning tools" vendors working together due to market competition/differentiation (yet, at least) but I do see dynamic scanning platform vendors (like my employer) reaching out to the consulting community to figure out how to give them a better platform from which to automate their bulk work (test every FF for XSS, etc.) and add in custom testing/pattern matching. As you probably are aware, even patterns in highly bespoke applications can often be applied to others (in the same enterprise or globally). In fact, the current generation of runtime CSRF tests I work with are an evolution of extrapolating patterns from "bespoke" applications and finding out how often they occur across unlike applications. (often) If you have more specific examples/needs - feel free to contact me directly Kevin to discuss further. On Tue, Aug 4, 2009 at 8:35 PM, Wall, Kevin wrote: > It's a pity that the these dynamic-scanning vendors can't work together to > come up with a common approach to at least helping this automation > you speak of at least part way along. (Yes, I know. I'm dreaming. ;-) You are spot on. And all these are great ideas, but the implementation is where it gets tricky... > Some ideas that I've had in the past is that they could request and make > use of: > 1) HTTP access logs from Apache and/or the web / application server. > These might be especially useful when the logs are specially configured > to also collect POST parameters and then the application's regression > tests are run against the application to collect the log data. Most web / > app servers support Apache HTTPD style access log format, so parsing > shouldn't be too terribly difficult in terms of the # of variations they > need This is a great idea, and one we have juggled around internally quite often regarding how best to handle implementation. At one point we went down exploring server-side agents to actively collect and report, but in my experience very few (<1%) of users can deploy agents like this on their production systems. And if they do, they are the first thing blamed for any issues and get removed (and after being proven "innocent" are still hard to re-add). I am thinking the better (though less effective) implementation is either (a) user-driven-upload feature for such files, or (b) client-side-parsing script you can run on a dedicated machine you control, and point at these config files to parse and upload the results to your dynamic testing vendor. I have been looking for a "configuration-management" vendor that provides this sort of "config-file management" that is common in the enterprise. After talking to many customers, as recently as BH Vegas this year, I cannot find any such vendor. Does one exist? (I have seen a few tools that do this over the years, but it seems like no one uses them). A vendor-supported config-management tool would be a great (and easy) hookpoint. Kind of like DNS server records for network-VA/PT testing, but on an "application entrypoint" layer. I would definitely like to hear more of your thoughts here. (on or offline) Unfortunately -- very few customers I work with ask for this type of thing. While I would love to provide it -- most are still asking for features to find/classify all of their enterprise application assets. /a_priori_but_related_problem > 2) For Java, the web.xml could be used to gather data that might allow some > automation, especially wrt discovery of dynamic URLs that otherwise > difficult > to discover by autoscanning. Exactly. Also useful for identifying package mismanagement, accidentally deployed modules, and "backdoors". > 3) If Struts or Strut2 is being used, gather info from the Struts validators > (forget > OTTOMH what the XML files called where this is placed, bot those are what > I'm Same goes for most modern frameworks. Too bad we do not have a standard 'web.config' file-format for frameworks. > 4) Define some new custom format to allow the information they need to be > independently gathered. Ideally this would be minimally some file format > (maybe define a DTD or XSD for some XML format), but their tools could > offer > some GUI interface as well. See above. I have also thought about a user-extensible script that would allow folks to tweak it to parse multiple types of config files across multiple frameworks/platforms, and normalize it into one big "config.xml" to feed into their testing framework. Thoughts? > Of course, I'm not sure I'd expect to see anything like this in my life
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
Arian J. Evans wrote... > The problem I had in the past with benchmarks was the huge degree of > customization in each application I would test. While patterns emerge > that are almost always automatable to some degree, the technologies > almost always require hand care-and-feeding to get them to an > effective place. I think this notion of combining the tools with > qualified users is the true potential power of the SaaS solutions that > are coming to market. It's a pity that the these dynamic-scanning vendors can't work together to come up with a common approach to at least helping this automation you speak of at least part way along. (Yes, I know. I'm dreaming. ;-) Some ideas that I've had in the past is that they could request and make use of: 1) HTTP access logs from Apache and/or the web / application server. These might be especially useful when the logs are specially configured to also collect POST parameters and then the application's regression tests are run against the application to collect the log data. Most web / app servers support Apache HTTPD style access log format, so parsing shouldn't be too terribly difficult in terms of the # of variations they need to handle. 2) For Java, the web.xml could be used to gather data that might allow some automation, especially wrt discovery of dynamic URLs that otherwise difficult to discover by autoscanning. 3) If Struts or Strut2 is being used, gather info from the Struts validators (forget OTTOMH what the XML files called where this is placed, bot those are what I'm referring to). 4) Define some new custom format to allow the information they need to be independently gathered. Ideally this would be minimally some file format (maybe define a DTD or XSD for some XML format), but their tools could offer some GUI interface as well. Of course, I'm not sure I'd expect to see anything like this in my lifetime. At this point, most of the users of these tools don't even see this as a need to the same degree that Arian and readers of SC-L do and it's not clear how vendors addressing these shortcomings IN A COMMON WAY would help them to compete. More likely, we'll get there from here by evolution and vendors copying ideas from one another. The other significant driver AGAINST this as I see it as many vendors sell "professional services" for specialized consulting on how to do these things manually. That bring in extra $$ into their companies so convincing them to give up their cash cow is a hard sell. And as a purchaser of one of these tools, if you don't have the needed expertise in house (many do, but I'm guessing a lot more don't), it's hard to tell your director that you can't use that $75K piece of shelfware that your security group just bought because they can't figure out how to configure it. Instead, they are more likely to quietly just drop another $10K or so for consulting discretely and hope their director or VP doesn't notice. -kevin -- Kevin W. Wall 614.215.4788Application Security Team / Qwest IT "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents."-- Nathaniel Borenstein, co-creator of MIME ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
Great answer, John. I especially like your point about web.xml. This goes dually for black-box testing. There would be a lot of advantage to being able to get (and compare) these types of config files today for dialing in BBB (Better Black Box vs. blind black box) testing. I don't think anyone is doing this optimally now. I know I am eager to find static analysis that can provide/guide my BBB testing with more context. I definitely think we will see more of these combined-services evolve in the future. It only makes sense, especially given some of the context-sensitive framing considerations in your response. Thanks for the solid thoughts, -- Arian Evans On Wed, Jul 29, 2009 at 5:44 AM, John Steven wrote: > All, > > The question of "Is my answer going to be high-enough resolution to support > manual review?" or "...to support a developer fixing the problem?" comes down > to "it depends". And, as we all know, I simply can't resist an "it depends" > kind of subtlety. > > Yes, Jim, if you're doing a pure JavaSE application, and you don't care about > non-standards compilers (jikes, gcj, etc.), then the source and the binary > are largely equivalent (at least in terms of resolution) Larry mentioned > gcj. Ease of parsing, however, is a different story (for instance, actual > dependencies are way easier to pull out of a binary than the source code, > whereas stack-local variable names are easiest in source). > > Where you care about "a whole web application" rather than a pure-Java > module, you have to concern yourself with JSP and all the other MVC > technologies. Placing aside the topic of XML-based configuration files, > you'll want to know what (container) your JSPs were compiled to target. In > this case, source code is different than binary. Similar factors sneak > themselves in across the Java platform. > > Then you've got the world of Aspect Oriented programming. Spring and a > broader class of packages that use AspectJ to weave code into your > application will dramatically change the face of your binary. To get the same > resolution out of your source code, you must in essence 'apply' those point > cuts yourself... Getting binary-quality resolution from source code > therefore means predicting what transforms will occur at what point-cut > locations. I doubt highly any source-based approach will get this thoroughly > correct. > > Finally, from the perspective of dynamic analysis, one must consider the > post-compiler transforms that occur. Java involves both JIT and Hotspot > (using two hotspot compilers: client and server, each of which conducting > different transforms), which neither binary nor source-code-based static > analysis are likely to correctly predict or account for. The binary image > that runs is simply not that which is fed to classloader.defineClass[] as a > bytestream. > > ...and (actually) finally, one of my favorite code-review techniques is to > ask for both a .war/ear/jar file AND the source code. This almost invariable > get's a double-take, but it's worth the trouble. How many times do you think > a web.xml match between the two? What exposure might you report if they were > identical? ... What might you test for If they're dramatically different? > > Ah... Good times, > > John Steven > Senior Director; Advanced Technology Consulting > Direct: (703) 404-5726 Cell: (703) 727-4034 > Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908 > > Blog: http://www.cigital.com/justiceleague > Papers: http://www.cigital.com/papers/jsteven > > http://www.cigital.com > Software Confidence. Achieved. > > > On 7/28/09 4:36 PM, "ljknews" wrote: > > At 8:39 AM -1000 7/28/09, Jim Manico wrote: > >> A quick note, in the Java world (obfuscation aside), the source and >> "binary" is really the same thing. The fact that Fortify analizes >> source and Veracode analizes class files is a fairly minor detail. > > It seems to me that would only be true for those using a > Java bytecode engine, not those using a Java compiler that > creates machine code. > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
am > hoping for a big improvement over last year. I especially like the category > they are using for some flaws found as "valid but insignificant". Clearly > they are improving based on feedback from SATE '08. > > Veracode was the first company to offer static and dynamic (web) analysis, > and we have been for 2 years (announced Aug 8, 2007). We deliver it as a > service. If you have a .NET or Java web app, you would cannot find a > comparable solution form a single vendor today. > > -Chris > > -Original Message- > From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On > Behalf Of Arian J. Evans > Sent: Tuesday, July 28, 2009 1:41 PM > To: Matt Fisher > Cc: Kenneth Van Wyk; Secure Coding > Subject: Re: [SC-L] IBM Acquires Ounce Labs, Inc. > > Right now, officially, I think that is about it. IBM, Veracode, and > AoD (in Germany) claims they have this too. > > As Mattyson mentioned, Veracode only does static binary analysis (no > source analysis). They offer "dynamic scanning" but I believe it is > using NTO Spider IIRC which is a simplified scanner that targets > unskilled users last I saw it. > > At one point I believe Veracode was in discussions with SPI to use WI, > but since the Veracoders haunt this list I'll let them clarify what > they use if they want. > > So IBM: soon. > > Veracode: sort-of. > > AoD: on paper > > And more to come in short order no doubt. I think we all knew this was > coming sooner or later. Just a matter of "when". > > The big guys have a lot of bucks to throw at this problem if they want > to, and pull off some really nice integrations. Be interesting to see > what they do, and how useful the integrations really are to > organizations. > > -- > Arian Evans > > > > > > On Tue, Jul 28, 2009 at 9:29 AM, Matt Fisher wrote: >> Pretty much. Hp /spi has integrations as well but I don't recall devinspect >> ever being a big hit. Veracode does both as well as static binary but as >> asaas model. Watchfire had a RAD integration as well iirc but it clearly >> must not haved had the share ounce does. >> >> -Original Message- >> From: Prasad Shenoy >> Sent: July 28, 2009 12:22 PM >> To: Kenneth Van Wyk >> Cc: Secure Coding >> Subject: Re: [SC-L] IBM Acquires Ounce Labs, Inc. >> >> >> Wow indeed. Does that makes IBM the only vendor to offer both Static >> and Dynamic software security testing/analysis capabilities? >> >> Thanks & Regards, >> Prasad N. Shenoy >> >> On Tue, Jul 28, 2009 at 10:19 AM, Kenneth Van Wyk wrote: >>> Wow, big acquisition news in the static code analysis space announced today: >>> >>> http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/07-28-2009/0005067166&EDATE= >>> >>> >>> Cheers, >>> >>> Ken >>> >>> - >>> Kenneth R. van Wyk >>> KRvW Associates, LLC >>> http://www.KRvW.com >>> >>> (This email is digitally signed with a free x.509 certificate from CAcert. >>> If you're unable to verify the signature, try getting their root CA >>> certificate at http://www.cacert.org -- for free.) >>> >>> >>> >>> >>> >>> >>> ___ >>> Secure Coding mailing list (SC-L) SC-L@securecoding.org >>> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l >>> List charter available at - http://www.securecoding.org/list/charter.php >>> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >>> as a free, non-commercial service to the software security community. >>> ___ >>> >>> >> ___ >> Secure Coding mailing list (SC-L) SC-L@securecoding.org >> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l >> List charter available at - http://www.securecoding.org/list/charter.php >> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >> as a free, non-commercial service to the software security community. >> ___ >> >> ___ >> Secure Coding mailing list (SC-L) SC-L@securecoding.org >> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l >> List charter available at - http://www.securecoding.org/list/charter
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
I wouldn't say that NTO Spider is a "sort of" dynamic web scanner. It is a top tier scanner that can battle head to head on false negative rate with the big conglomerates' scanners: IBM AppScan and HP WebInspect. Larry Suto published an analysis a year ago, that certainly had some flaws (and was rightly criticized), but genuinely showed all three to be in the same league. I haven't seen a better head-to-head analysis conducted by anyone. A little bird whispered to me that we may see a new analysis by someone soon. As a group of security practitioners it is amazing to me that we don't have more quantifiable testing and tools/services are just dismissed with anecdotal data. I am glad NIST SATE '09 will soon be underway and, at least for static analysis tools, we will have unbiased independent testing. I am hoping for a big improvement over last year. I especially like the category they are using for some flaws found as "valid but insignificant". Clearly they are improving based on feedback from SATE '08. Veracode was the first company to offer static and dynamic (web) analysis, and we have been for 2 years (announced Aug 8, 2007). We deliver it as a service. If you have a .NET or Java web app, you would cannot find a comparable solution form a single vendor today. -Chris -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Arian J. Evans Sent: Tuesday, July 28, 2009 1:41 PM To: Matt Fisher Cc: Kenneth Van Wyk; Secure Coding Subject: Re: [SC-L] IBM Acquires Ounce Labs, Inc. Right now, officially, I think that is about it. IBM, Veracode, and AoD (in Germany) claims they have this too. As Mattyson mentioned, Veracode only does static binary analysis (no source analysis). They offer "dynamic scanning" but I believe it is using NTO Spider IIRC which is a simplified scanner that targets unskilled users last I saw it. At one point I believe Veracode was in discussions with SPI to use WI, but since the Veracoders haunt this list I'll let them clarify what they use if they want. So IBM: soon. Veracode: sort-of. AoD: on paper And more to come in short order no doubt. I think we all knew this was coming sooner or later. Just a matter of "when". The big guys have a lot of bucks to throw at this problem if they want to, and pull off some really nice integrations. Be interesting to see what they do, and how useful the integrations really are to organizations. -- Arian Evans On Tue, Jul 28, 2009 at 9:29 AM, Matt Fisher wrote: > Pretty much. Hp /spi has integrations as well but I don't recall devinspect > ever being a big hit. Veracode does both as well as static binary but as > asaas model. Watchfire had a RAD integration as well iirc but it clearly must > not haved had the share ounce does. > > -Original Message- > From: Prasad Shenoy > Sent: July 28, 2009 12:22 PM > To: Kenneth Van Wyk > Cc: Secure Coding > Subject: Re: [SC-L] IBM Acquires Ounce Labs, Inc. > > > Wow indeed. Does that makes IBM the only vendor to offer both Static > and Dynamic software security testing/analysis capabilities? > > Thanks & Regards, > Prasad N. Shenoy > > On Tue, Jul 28, 2009 at 10:19 AM, Kenneth Van Wyk wrote: >> Wow, big acquisition news in the static code analysis space announced today: >> >> http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/07-28-2009/0005067166&EDATE= >> >> >> Cheers, >> >> Ken >> >> - >> Kenneth R. van Wyk >> KRvW Associates, LLC >> http://www.KRvW.com >> >> (This email is digitally signed with a free x.509 certificate from CAcert. >> If you're unable to verify the signature, try getting their root CA >> certificate at http://www.cacert.org -- for free.) >> >> >> >> >> >> >> ___ >> Secure Coding mailing list (SC-L) SC-L@securecoding.org >> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l >> List charter available at - http://www.securecoding.org/list/charter.php >> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >> as a free, non-commercial service to the software security community. >> ___ >> >> > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
All, The question of "Is my answer going to be high-enough resolution to support manual review?" or "...to support a developer fixing the problem?" comes down to "it depends". And, as we all know, I simply can't resist an "it depends" kind of subtlety. Yes, Jim, if you're doing a pure JavaSE application, and you don't care about non-standards compilers (jikes, gcj, etc.), then the source and the binary are largely equivalent (at least in terms of resolution) Larry mentioned gcj. Ease of parsing, however, is a different story (for instance, actual dependencies are way easier to pull out of a binary than the source code, whereas stack-local variable names are easiest in source). Where you care about "a whole web application" rather than a pure-Java module, you have to concern yourself with JSP and all the other MVC technologies. Placing aside the topic of XML-based configuration files, you'll want to know what (container) your JSPs were compiled to target. In this case, source code is different than binary. Similar factors sneak themselves in across the Java platform. Then you've got the world of Aspect Oriented programming. Spring and a broader class of packages that use AspectJ to weave code into your application will dramatically change the face of your binary. To get the same resolution out of your source code, you must in essence 'apply' those point cuts yourself... Getting binary-quality resolution from source code therefore means predicting what transforms will occur at what point-cut locations. I doubt highly any source-based approach will get this thoroughly correct. Finally, from the perspective of dynamic analysis, one must consider the post-compiler transforms that occur. Java involves both JIT and Hotspot (using two hotspot compilers: client and server, each of which conducting different transforms), which neither binary nor source-code-based static analysis are likely to correctly predict or account for. The binary image that runs is simply not that which is fed to classloader.defineClass[] as a bytestream. ...and (actually) finally, one of my favorite code-review techniques is to ask for both a .war/ear/jar file AND the source code. This almost invariable get's a double-take, but it's worth the trouble. How many times do you think a web.xml match between the two? What exposure might you report if they were identical? ... What might you test for If they're dramatically different? Ah... Good times, John Steven Senior Director; Advanced Technology Consulting Direct: (703) 404-5726 Cell: (703) 727-4034 Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908 Blog: http://www.cigital.com/justiceleague Papers: http://www.cigital.com/papers/jsteven http://www.cigital.com Software Confidence. Achieved. On 7/28/09 4:36 PM, "ljknews" wrote: At 8:39 AM -1000 7/28/09, Jim Manico wrote: > A quick note, in the Java world (obfuscation aside), the source and > "binary" is really the same thing. The fact that Fortify analizes > source and Veracode analizes class files is a fairly minor detail. It seems to me that would only be true for those using a Java bytecode engine, not those using a Java compiler that creates machine code. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
At 8:39 AM -1000 7/28/09, Jim Manico wrote: > A quick note, in the Java world (obfuscation aside), the source and > "binary" is really the same thing. The fact that Fortify analizes > source and Veracode analizes class files is a fairly minor detail. It seems to me that would only be true for those using a Java bytecode engine, not those using a Java compiler that creates machine code. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
A quick note, in the Java world (obfuscation aside), the source and "binary" is really the same thing. The fact that Fortify analizes source and Veracode analizes class files is a fairly minor detail. Jim Manico On Jul 28, 2009, at 7:40 AM, "Arian J. Evans" > wrote: Right now, officially, I think that is about it. IBM, Veracode, and AoD (in Germany) claims they have this too. As Mattyson mentioned, Veracode only does static binary analysis (no source analysis). They offer "dynamic scanning" but I believe it is using NTO Spider IIRC which is a simplified scanner that targets unskilled users last I saw it. At one point I believe Veracode was in discussions with SPI to use WI, but since the Veracoders haunt this list I'll let them clarify what they use if they want. So IBM: soon. Veracode: sort-of. AoD: on paper And more to come in short order no doubt. I think we all knew this was coming sooner or later. Just a matter of "when". The big guys have a lot of bucks to throw at this problem if they want to, and pull off some really nice integrations. Be interesting to see what they do, and how useful the integrations really are to organizations. -- Arian Evans On Tue, Jul 28, 2009 at 9:29 AM, Matt Fishersecurity.com> wrote: Pretty much. Hp /spi has integrations as well but I don't recall devinspect ever being a big hit. Veracode does both as well as static binary but as asaas model. Watchfire had a RAD integration as well iirc but it clearly must not haved had the share ounce does. -Original Message- From: Prasad Shenoy Sent: July 28, 2009 12:22 PM To: Kenneth Van Wyk Cc: Secure Coding Subject: Re: [SC-L] IBM Acquires Ounce Labs, Inc. Wow indeed. Does that makes IBM the only vendor to offer both Static and Dynamic software security testing/analysis capabilities? Thanks & Regards, Prasad N. Shenoy On Tue, Jul 28, 2009 at 10:19 AM, Kenneth Van Wyk wrote: Wow, big acquisition news in the static code analysis space announced today: http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/07-28-2009/0005067166&EDATE= Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com (This email is digitally signed with a free x.509 certificate from CAcert. If you're unable to verify the signature, try getting their root CA certificate at http://www.cacert.org -- for free.) ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com ) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com ) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com ) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com ) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
Fortify (www.fortify.com) has Partnered with WhiteHat Security (www.whitehatsec.com) too Tom Brennan Board Member - OWASP Foundation Url: www.owasp.org | Tel: 973-202-0122 http://www.linkedin.com/in/tombrennan -Original Message- From: Matt Fisher Date: Tue, 28 Jul 2009 11:29:30 To: Prasad Shenoy; Kenneth Van Wyk Cc: Secure Coding Subject: Re: [SC-L] IBM Acquires Ounce Labs, Inc. Pretty much. Hp /spi has integrations as well but I don't recall devinspect ever being a big hit. Veracode does both as well as static binary but as asaas model. Watchfire had a RAD integration as well iirc but it clearly must not haved had the share ounce does. -Original Message- From: Prasad Shenoy Sent: July 28, 2009 12:22 PM To: Kenneth Van Wyk Cc: Secure Coding Subject: Re: [SC-L] IBM Acquires Ounce Labs, Inc. Wow indeed. Does that makes IBM the only vendor to offer both Static and Dynamic software security testing/analysis capabilities? Thanks & Regards, Prasad N. Shenoy On Tue, Jul 28, 2009 at 10:19 AM, Kenneth Van Wyk wrote: > Wow, big acquisition news in the static code analysis space announced today: > > http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/07-28-2009/0005067166&EDATE= > > > Cheers, > > Ken > > - > Kenneth R. van Wyk > KRvW Associates, LLC > http://www.KRvW.com > > (This email is digitally signed with a free x.509 certificate from CAcert. > If you're unable to verify the signature, try getting their root CA > certificate at http://www.cacert.org -- for free.) > > > > > > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
Ah sorry didn't mean to leave you out Tom. -Original Message- From: Tom Brennan Sent: July 28, 2009 1:24 PM To: Matt Fisher ; sc-l-boun...@securecoding.org ; Prasad Shenoy ; Kenneth Van Wyk Cc: Secure Coding Subject: Re: [SC-L] IBM Acquires Ounce Labs, Inc. Fortify (www.fortify.com) has Partnered with WhiteHat Security (www.whitehatsec.com) too Tom Brennan Board Member - OWASP Foundation Url: www.owasp.org | Tel: 973-202-0122 http://www.linkedin.com/in/tombrennan -Original Message- From: Matt Fisher Date: Tue, 28 Jul 2009 11:29:30 To: Prasad Shenoy; Kenneth Van Wyk Cc: Secure Coding Subject: Re: [SC-L] IBM Acquires Ounce Labs, Inc. Pretty much. Hp /spi has integrations as well but I don't recall devinspect ever being a big hit. Veracode does both as well as static binary but as asaas model. Watchfire had a RAD integration as well iirc but it clearly must not haved had the share ounce does. -Original Message- From: Prasad Shenoy Sent: July 28, 2009 12:22 PM To: Kenneth Van Wyk Cc: Secure Coding Subject: Re: [SC-L] IBM Acquires Ounce Labs, Inc. Wow indeed. Does that makes IBM the only vendor to offer both Static and Dynamic software security testing/analysis capabilities? Thanks & Regards, Prasad N. Shenoy On Tue, Jul 28, 2009 at 10:19 AM, Kenneth Van Wyk wrote: > Wow, big acquisition news in the static code analysis space announced today: > > http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/07-28-2009/0005067166&EDATE= > > > Cheers, > > Ken > > - > Kenneth R. van Wyk > KRvW Associates, LLC > http://www.KRvW.com > > (This email is digitally signed with a free x.509 certificate from CAcert. > If you're unable to verify the signature, try getting their root CA > certificate at http://www.cacert.org -- for free.) > > > > > > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
Pretty much. Hp /spi has integrations as well but I don't recall devinspect ever being a big hit. Veracode does both as well as static binary but as asaas model. Watchfire had a RAD integration as well iirc but it clearly must not haved had the share ounce does. -Original Message- From: Prasad Shenoy Sent: July 28, 2009 12:22 PM To: Kenneth Van Wyk Cc: Secure Coding Subject: Re: [SC-L] IBM Acquires Ounce Labs, Inc. Wow indeed. Does that makes IBM the only vendor to offer both Static and Dynamic software security testing/analysis capabilities? Thanks & Regards, Prasad N. Shenoy On Tue, Jul 28, 2009 at 10:19 AM, Kenneth Van Wyk wrote: > Wow, big acquisition news in the static code analysis space announced today: > > http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/07-28-2009/0005067166&EDATE= > > > Cheers, > > Ken > > - > Kenneth R. van Wyk > KRvW Associates, LLC > http://www.KRvW.com > > (This email is digitally signed with a free x.509 certificate from CAcert. > If you're unable to verify the signature, try getting their root CA > certificate at http://www.cacert.org -- for free.) > > > > > > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
Right now, officially, I think that is about it. IBM, Veracode, and AoD (in Germany) claims they have this too. As Mattyson mentioned, Veracode only does static binary analysis (no source analysis). They offer "dynamic scanning" but I believe it is using NTO Spider IIRC which is a simplified scanner that targets unskilled users last I saw it. At one point I believe Veracode was in discussions with SPI to use WI, but since the Veracoders haunt this list I'll let them clarify what they use if they want. So IBM: soon. Veracode: sort-of. AoD: on paper And more to come in short order no doubt. I think we all knew this was coming sooner or later. Just a matter of "when". The big guys have a lot of bucks to throw at this problem if they want to, and pull off some really nice integrations. Be interesting to see what they do, and how useful the integrations really are to organizations. -- Arian Evans On Tue, Jul 28, 2009 at 9:29 AM, Matt Fisher wrote: > Pretty much. Hp /spi has integrations as well but I don't recall devinspect > ever being a big hit. Veracode does both as well as static binary but as > asaas model. Watchfire had a RAD integration as well iirc but it clearly must > not haved had the share ounce does. > > -Original Message- > From: Prasad Shenoy > Sent: July 28, 2009 12:22 PM > To: Kenneth Van Wyk > Cc: Secure Coding > Subject: Re: [SC-L] IBM Acquires Ounce Labs, Inc. > > > Wow indeed. Does that makes IBM the only vendor to offer both Static > and Dynamic software security testing/analysis capabilities? > > Thanks & Regards, > Prasad N. Shenoy > > On Tue, Jul 28, 2009 at 10:19 AM, Kenneth Van Wyk wrote: >> Wow, big acquisition news in the static code analysis space announced today: >> >> http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/07-28-2009/0005067166&EDATE= >> >> >> Cheers, >> >> Ken >> >> - >> Kenneth R. van Wyk >> KRvW Associates, LLC >> http://www.KRvW.com >> >> (This email is digitally signed with a free x.509 certificate from CAcert. >> If you're unable to verify the signature, try getting their root CA >> certificate at http://www.cacert.org -- for free.) >> >> >> >> >> >> >> ___ >> Secure Coding mailing list (SC-L) SC-L@securecoding.org >> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l >> List charter available at - http://www.securecoding.org/list/charter.php >> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >> as a free, non-commercial service to the software security community. >> ___ >> >> > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
Wow indeed. Does that makes IBM the only vendor to offer both Static and Dynamic software security testing/analysis capabilities? Thanks & Regards, Prasad N. Shenoy On Tue, Jul 28, 2009 at 10:19 AM, Kenneth Van Wyk wrote: > Wow, big acquisition news in the static code analysis space announced today: > > http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/07-28-2009/0005067166&EDATE= > > > Cheers, > > Ken > > - > Kenneth R. van Wyk > KRvW Associates, LLC > http://www.KRvW.com > > (This email is digitally signed with a free x.509 certificate from CAcert. > If you're unable to verify the signature, try getting their root CA > certificate at http://www.cacert.org -- for free.) > > > > > > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] IBM Acquires Ounce Labs, Inc.
Wow, big acquisition news in the static code analysis space announced today: http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/07-28-2009/0005067166&EDATE= Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com (This email is digitally signed with a free x.509 certificate from CAcert. If you're unable to verify the signature, try getting their root CA certificate at http://www.cacert.org -- for free.) smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___