> - So when a vendor says that they are focused on quality and not
> security, and vice versa what exactly does this mean?
We spend most of Chapter 2 of Secure Programming with Static Analysis
describing the different problems that static analysis tools try to solve,
and we show where we think all
| Most recently, we have met with a variety of vendors including but not
| limited to: Coverity, Ounce Labs, Fortify, Klocwork, HP and so on. In
| the conversation they all used interesting phrases to describe they
| classify their competitors value proposition. At some level, this has
| managed to
James, Bret-
I agree with Bret that security and quality are inherently related (as
well as many other system attributes).
I think vendors (particularly sales guys) tend to reflect back to
customers what they are hearing from other customers. So I think many
customers go to these vendors asking
James,
Not dumb questions: an unfortunate situation. I do tool bakeoffs for clients a
fair amount. I'm responsible for the rules Cigital initially sold to Fortify. I
also attempt to work closely with companies like Coverity and understand deeply
the underpinnings of that tool's engine. I've a f
At 10:51 PM 29/08/2007, McGovern, James F (HTSC, IT) wrote:
>- So when a vendor says that they are focused on quality and not
>security, and vice versa what exactly does this mean? I don't have a
>great mental model of something that is a security concern that isn't a
>predictor of quality. Likew
Most recently, we have met with a variety of vendors including but not
limited to: Coverity, Ounce Labs, Fortify, Klocwork, HP and so on. In
the conversation they all used interesting phrases to describe they
classify their competitors value proposition. At some level, this has
managed to confuse m
