Re: InformIT: comparing static analysis tools

[Chris Wysopal <cwysopal () veracode com>]

Nice article.  In the 5 years Veracode has been selling static analysis services we have seen the market mature.  In 
the beginning, organizations were down in the weeds. "What false positive rate or false negative rate does the 
tool/service have over a test suite such as SAMATE."  Then we saw a move up to looking at the trees.  "Did the 
tool/service support the Java frameworks I am using?"  Now we are seeing organizations look at the forest. "Can I scale 
static analysis effectively over all my development sites, my outsourcers, and vendors?"  This is a good sign of a 
maturing market.

It is my firm belief that software security has a consumption problem.  We know what the defects are.  We know how to 
fix them.  We even have automation for detecting a lot of them.  The problem is getting the information and technology 
to the right person at the right time effectively and managing an organization-wide program.  This is the next 
challenge for static analysis. <bias-alert>I think SaaS based software is more easily consumed and this isn't any 
different for software security</bias-alert>

-Chris

-----Original Message-----
From: sc-l-bounces () securecoding org [mailto:sc-l-bounces () securecoding org] On Behalf Of Gary McGraw
Sent: Wednesday, February 02, 2011 9:49 AM
To: Secure Code Mailing List
Subject: [SC-L] InformIT: comparing static analysis tools

hi sc-l,

John Steven and I recently collaborated on an article for informIT.  The article is called "Software [In]security: 
Comparing Apples, Oranges, and Aardvarks (or, All Static Analysis Tools Are Not Created Equal)" and is available here:
http://www.informit.com/articles/article.aspx?p=1680863

Now that static analysis tools like Fortify and Ounce are hitting the mainstream there are many potential customers who 
want to compare them and pick the best one.  We explain why that's more difficult than it sounds at first and what to 
watch out for as you begin to compare tools.  We did this in order to get out in front of "test suites" that purport to 
work for tool comparison.  If you wonder why such suites may not work as advertised, read the article.

Your feedback is welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - 
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the 
software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________