Perspectives on Code Scanning

[James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))]

I really hope that this email doesn't generate a ton of offline emails and hope that folks will talk publicly. It has 
been my latest thinking that the value of tools in this space are not really targeted at developers but should be 
targeted at executives who care about overall quality and security folks who care about risk. While developers are the 
ones to remediate, the accountability for secure coding resides elsewhere.

It would seem to be that tools that developers plug into their IDE should be free since the value proposition should 
reside elsewhere. Many of these tools provide "audit" functionality and allow enterprises to gain a view into their 
portfolio that they previously had zero clue about and this is where the value should reside.

If there is even an iota of agreement, wouldn't it be in the best interest of folks here to get vendors to ignore 
developer specific licensing and instead focus on enterprise concerns?


*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************