At 10:51 PM 29/08/2007, McGovern, James F (HTSC, IT) wrote: - So when a vendor says that they are focused on quality and not security, and vice versa what exactly does this mean? I don't have a great mental model of something that is a security concern that isn't a predictor of quality.
James, Not dumb questions: an unfortunate situation. I do tool bakeoffs for clients a fair amount. I'm responsible for the rules Cigital initially sold to Fortify. I also attempt to work closely with companies like Coverity and understand deeply the underpinnings of that tool's engine. I've a
James, Bret- I agree with Bret that security and quality are inherently related (as well as many other system attributes). I think vendors (particularly sales guys) tend to reflect back to customers what they are hearing from other customers. So I think many customers go to these vendors asking
| Most recently, we have met with a variety of vendors including but not | limited to: Coverity, Ounce Labs, Fortify, Klocwork, HP and so on. In | the conversation they all used interesting phrases to describe they | classify their competitors value proposition. At some level, this has | managed
- So when a vendor says that they are focused on quality and not security, and vice versa what exactly does this mean? We spend most of Chapter 2 of Secure Programming with Static Analysis describing the different problems that static analysis tools try to solve, and we show where we think all