Re: [SC-L] Really dumb questions?

2007-08-30 Thread Bret Watson
At 10:51 PM 29/08/2007, McGovern, James F (HTSC, IT) wrote: - So when a vendor says that they are focused on quality and not security, and vice versa what exactly does this mean? I don't have a great mental model of something that is a security concern that isn't a predictor of quality.

Re: [SC-L] Really dumb questions?

2007-08-30 Thread John Steven
James, Not dumb questions: an unfortunate situation. I do tool bakeoffs for clients a fair amount. I'm responsible for the rules Cigital initially sold to Fortify. I also attempt to work closely with companies like Coverity and understand deeply the underpinnings of that tool's engine. I've a

Re: [SC-L] Really dumb questions?

2007-08-30 Thread Robert C. Seacord
James, Bret- I agree with Bret that security and quality are inherently related (as well as many other system attributes). I think vendors (particularly sales guys) tend to reflect back to customers what they are hearing from other customers. So I think many customers go to these vendors asking

Re: [SC-L] Really dumb questions?

2007-08-30 Thread Leichter, Jerry
| Most recently, we have met with a variety of vendors including but not | limited to: Coverity, Ounce Labs, Fortify, Klocwork, HP and so on. In | the conversation they all used interesting phrases to describe they | classify their competitors value proposition. At some level, this has | managed

Re: [SC-L] Really dumb questions?

2007-08-30 Thread Brian Chess
- So when a vendor says that they are focused on quality and not security, and vice versa what exactly does this mean? We spend most of Chapter 2 of Secure Programming with Static Analysis describing the different problems that static analysis tools try to solve, and we show where we think all