Re: [SC-L] Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis
At 5:20 PM +1100 1/25/07, Crispin Cowan wrote: ljknews wrote: My guess is that if a company actually is capable of analyzing binary code they only do it for the highest volume instruction sets. They certainly will focus on larger markets first. If you want them to focus on *your* market, make it worth their while :) So I should pay to have them check the work of my vendors ? Or I would convince my vendors to pay them ? Sorry, my business is not that large a fraction of my vendors' customer base. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis
Ok, last software security news item for today, I promise. :-) This article (see http://www.darkreading.com/document.asp?doc_id=115110WT.svl=news1_1) is about a couple of new startup companies. One of them in particular, Veracode, may be of some interest here. The article says, Veracode, founded by Chris Wysopal and other former executives of @stake, is now offering patented binary-code analysis of software for enterprises that want to analyze their software's security on a regular basis. The ASP will also offer security reviews of enterprise products and security analysis of third-party apps for software developers. The article also provides some counterpoints, including some from Gary McGraw, that are worth reading. Among other things, Gary says, However, if you want real security analysis you have to go past the binary, past the source code, and actually consider the design. Opinions on binary vs. source code (and design!) analysis, anyone? Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis
At 1:52 PM -0500 1/22/07, Kenneth Van Wyk wrote: Content-Type: multipart/signed; protocol=application/pgp-signature; micalg=pgp-sha1; boundary=Apple-Mail-12-58709954 Content-Transfer-Encoding: 7bit Ok, last software security news item for today, I promise. :-) This article (see http://www.darkreading.com/document.asp?doc_id=115110WT.svl=news1_1http://www.darkreading.com/document.asp?doc_id=115110WT.svl=news1_1) is about a couple of new startup companies. One of them in particular, Veracode, may be of some interest here. The article says, Veracode, founded by Chris Wysopal and other former executives of @stake, is now offering patented binary-code analysis of software for enterprises that want to analyze their software's security on a regular basis. The ASP will also offer security reviews of enterprise products and security analysis of third-party apps for software developers. The article also provides some counterpoints, including some from Gary McGraw, that are worth reading. Among other things, Gary says, However, if you want real security analysis you have to go past the binary, past the source code, and actually consider the design. Opinions on binary vs. source code (and design!) analysis, anyone? Analyzing source code is independent of machine architecture. My guess is that if a company actually is capable of analyzing binary code they only do it for the highest volume instruction sets. My guess is that attackers will go after machines they feel are less protected. Efforts which merely change attacker behavior are a waste of time. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis
At 3:10 PM -0800 1/22/07, Blue Boar wrote: ljknews wrote: Analyzing source code is independent of machine architecture. My guess is that if a company actually is capable of analyzing binary code they only do it for the highest volume instruction sets. My guess is that attackers will go after machines they feel are less protected. Efforts which merely change attacker behavior are a waste of time. Nope. If I'm running x86 boxes, I'd be more than happy to have to attackers move to SPARC. Those of us _not_ running X86 do not feel that way. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___