Re: LinuxWorld | Secure coding attracts interest, investment

[Mars IMAP <jared_robinson () email com>]

BugScan probably competes with the @Stake tool, and works on object code:
http://www.hbgary.com/index.asp?G1=2&G2=1

Coverity's tool is absolutely *outstanding* on C code. They plan to have 
C++ support soon.

http://coverity.com/main.html

The Fortify tools (http://fortifysoftware.com) look good, from what I've 
seen in a demo.


And there's a new release of Flawfinder that just came out. It has 
documentation on how to integrate with vim and emacs, and has features 
to suppress more false positives. http://www.dwheeler.com/flawfinder/


- Jared

Kenneth R. van Wyk wrote:


Greetings all,

FYI, it looks like we're at the beginning of a new wave of software security 
tools.  There's a few commercial products beginning to hit the market that 
take static src code scanning to a new level.  See the link below for a 
LinuxWorld article that briefly (!) describes @stake's new SmartRisk Analyzer 
tool in addition to Fortify's Source Code Analysis suite.  These appear to 
pick up where current static analysis tools (e.g., ITS4, Flawfinder) leave 
off.


Anyone here willing/able to share some _user_ level experiences with any of 
these tools?  It'll be interesting to hear how they hold up in real software 
development environments.


http://www.linuxworld.com.au/nindex.php/id;1780700095;fp;2;fpid;1

Cheers,

Ken van Wyk