Penetration Testing mailing list archives
Re: True Source Code Analysis for Security
From: Jason Ross <algorythm () gmail com>
Date: Wed, 4 Nov 2009 16:29:54 -0500
On Mon, Nov 2, 2009 at 8:36 PM, John Kinsella <jlk () thrashyour com> wrote:
I'm writing this as somebody who has used several major SCA tools - a quick glance of your company's site looks interesting, but right now I feel like I'm being marketed to.
Agreed, it feels "slimy". That was my first reaction to this thread as well. But then I tried to identify what exactly it was that cause me to feel that way. * The white paper itself doesn't try to market their product that I could see. * The web site it's available from doesn't require an email address or any other form of information before allowing you to download the document. * The original post does not attempt to specifically peddle any product. I don't think there's anything wrong with a company putting out a technical white paper that describes an issue as long as they aren't using it to tout their specific product. (that's what the marketing white papers are for IMO). I also don't think there's anything wrong with that company sending an email to a relevant list stating that they have such a paper available, particularly if there's no information required to obtain it (which always turns me off as a marketing ploy to build 'potential customer' databases). So, I was left to conclude that really, the only reason I felt this was marketing was because the original message came from the founder of the company that presented the paper and not some tech grunt within it. For me, that was unfair, and is why I posted my original message about this. That aside, as I mentioned in my post, and as you also pointed out in yours, I'm not sure that all of the arguments given in the doc are well founded. -- Jason ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- True Source Code Analysis for Security Maty Siman (Nov 02)
- Re: True Source Code Analysis for Security John Kinsella (Nov 04)
- Re: True Source Code Analysis for Security Jason Ross (Nov 04)
- Re: True Source Code Analysis for Security Jason Ross (Nov 04)
- Re: True Source Code Analysis for Security John Kinsella (Nov 04)