At 10:51 PM 29/08/2007, McGovern, James F (HTSC, IT) wrote:
- So when a vendor says that they are focused on quality and not
security, and vice versa what exactly does this mean? I don't have a
great mental model of something that is a security concern that isn't a
predictor of quality.
James,
Not dumb questions: an unfortunate situation. I do tool bakeoffs for clients a
fair amount. I'm responsible for the rules Cigital initially sold to Fortify. I
also attempt to work closely with companies like Coverity and understand deeply
the underpinnings of that tool's engine. I've a
James, Bret-
I agree with Bret that security and quality are inherently related (as
well as many other system attributes).
I think vendors (particularly sales guys) tend to reflect back to
customers what they are hearing from other customers. So I think many
customers go to these vendors asking
| Most recently, we have met with a variety of vendors including but not
| limited to: Coverity, Ounce Labs, Fortify, Klocwork, HP and so on. In
| the conversation they all used interesting phrases to describe they
| classify their competitors value proposition. At some level, this has
| managed
- So when a vendor says that they are focused on quality and not
security, and vice versa what exactly does this mean?
We spend most of Chapter 2 of Secure Programming with Static Analysis
describing the different problems that static analysis tools try to solve,
and we show where we think all
