Secure Coding mailing list archives

RE: Comparing Scanning Tools

From: jeremy.epstein at webmethods.com (Jeremy Epstein)
Date: Fri, 9 Jun 2006 14:32:16 -0400

At the RSA Conference in February, I went to a reception hosted by a group
called "Secure Software Forum" (not to be confused with the company Secure
Software Inc, which offers a product competitive to Fortify).  They had a
panel session where representatives from a couple of companies not in the
software/technology business claimed that they're making contractual
requirements in this area (i.e., that vendors are required to assert as part
of the contract what measures they use to assure their code).  So I guess
there's proof by construction that companies other than Microsoft & Oracle
care.
 
Having said that, it's completely at odds compared to what I see working for
an ISV of a non-security product.  That is, I almost never have
prospects/customers ask me what we do to assure our software. If it happened
more often, I'd be able to get more budget to do the analysis that I think
all vendors should do :-(
 
--Jeremy
 
P.S. Since Brian provided a link to a press release about Oracle using
Fortify, I'll offer a link about a financial services company using Secure
Software: http://www.securesoftware.com/news/releases/20050725.html
<http://www.securesoftware.com/news/releases/20050725.html> 


  _____  

From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org]
On Behalf Of McGovern, James F (HTSC, IT)
Sent: Friday, June 09, 2006 12:10 PM
To: Secure Mailing List
Subject: RE: [SC-L] RE: Comparing Scanning Tools


I think I should have been more specific in my first post. I should have
phrased it as I have yet to find a large enterprise whose primary business
isn't software or technology that has made a significant investment in such
tools.
 
Likewise, a lot of large enteprrises are shifting away from building inhouse
to either outsourcing and/or buying which means that secure coding practices
should also be enforced via procurement agreements. Has anyone here ran
across contract clauses that assist in this regard?

-----Original Message-----
From: Gunnar Peterson [mailto:gunnar at arctecgroup.net]
Sent: Friday, June 09, 2006 8:48 AM
To: Brian Chess; Secure Mailing List; McGovern, James F (HTSC, IT)
Subject: Re: [SC-L] RE: Comparing Scanning Tools


Right, because their customers (are starting to) demand more secure code
from their technology. In the enterprise space the financial, insurance,
healthcare companies who routinely lose their customer's data and provide
their customers with vulnerability-laden apps have not yet seen the same
amount of customer demand for this, but 84 million public lost records later
( http://www.privacyrights.org/ar/ChronDataBreaches.htm)
<http://www.privacyrights.org/ar/ChronDataBreaches.htm)>  this may begin to
change.

-gp


On 6/9/06 1:45 AM, "Brian Chess" <brian at fortifysoftware.com> wrote:



McGovern, James F wrote:

I have yet to find a large enterprise that has made a significant

investment in such tools. 

I'll give you pointers to two.  They're two of the three largest software
companies in the world.

http://news.com.com/2100-1002_3-5220488.html
<http://news.com.com/2100-1002_3-5220488.html> 
http://news.zdnet.com/2100-3513_22-6002747.html
<http://news.zdnet.com/2100-3513_22-6002747.html> 

Brian


  _____  

_______________________________________________
Secure Coding mailing list (SC-L)
SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
<http://krvw.com/mailman/listinfo/sc-l> 
List charter available at - http://www.securecoding.org/list/charter.php
<http://www.securecoding.org/list/charter.php> 







*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information. If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited. If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20060609/91c111fd/attachment.html

Current thread:

Comparing Scanning Tools, (continued)
- Comparing Scanning Tools McGovern, James F (HTSC, IT) (Jun 07)
  - Comparing Scanning Tools Gunnar Peterson (Jun 08)
- Comparing Scanning Tools Gary McGraw (Jun 08)
- Comparing Scanning Tools McGovern, James F (HTSC, IT) (Jun 08)
  - Comparing Scanning Tools Gunnar Peterson (Jun 08)
- Re: Comparing Scanning Tools Brian Chess (Jun 08)
- RE: Comparing Scanning Tools Brian Chess (Jun 08)
  - RE: Comparing Scanning Tools Gunnar Peterson (Jun 09)
- RE: Comparing Scanning Tools McGovern, James F (HTSC, IT) (Jun 09)
  - RE: Comparing Scanning Tools Dave Wichers (Jun 09)
- RE: Comparing Scanning Tools Jeremy Epstein (Jun 09)
  - RE: Comparing Scanning Tools ljknews (Jun 09)
  - RE: Comparing Scanning Tools Michael Mucha (Jun 12)
- RE: Comparing Scanning Tools John Steven (Jun 14)