Perspectives on Code Scanning

[James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))]

In a previous thread someone appropriately commented that perspectives in this space differ depending upon whether you 
are a software vendor, government customer or enterprise. I do not disagree that developers need to know how to fix 
their code. What I am saying is that tools to assist developers in writing better could should be free.

Your quote "*imho* vendor has to follow developer licensing" is where I think it will harm the goals of secure coding 
at large. Consider the trend within the industry that tools for software development are essentially becoming free. No 
one pays for IDEs (rare exceptions) when things like Eclipse and Visual Studio have free versions.

Enterprise folks however will pay lots of money for tools in the auditing space that help them to quantify risk. The 
ability to scan large multiple code bases is a different product/problem than scanning while writing code in an IDE. I 
am saying that more money could be had if folks focus on the first and not the later. Vendors who get it twisted by 
focusing on the number of developers are dillusional and should ask themselves why aren't but a select few of any 
enterprise pervasively deploying tools to developers.

Give away the developer tools in the same way Microsoft does and you will accelerate your potential sales from the 
bottom up. Not all sales within places are driven top down...

-----Original Message-----
From: sc-l-bounces at securecoding.org
[mailto:sc-l-bounces at securecoding.org]On Behalf Of Paolo Perego
Sent: Friday, June 08, 2007 5:40 AM
To: McGovern, James F (HTSC, IT)
Cc: Secure Coding
Subject: Re: [SC-L] Perspectives on Code Scanning

Hi there, I found this thread very interesting.
It's true that developers are the ones who remediate to code
insecurity and executives care about how much effort has to be spent
over closing branches. Indeed I think the two categories needs a tool
approaching the same problem (tell if a code follows security best
practices or not) showing results in 2 "different" languages.

Developers need how to know how to fix their code. Executives need to
know how much these fixes cost, who will attend them and in how many
time fixes will be committed.

*imho* vendor has to follow developer licensing... since developer do
knows ho to write code but he has to be helped in writing it in a
secure way.

Safe coding is a concern for both developers than executives.
My 2 euro cents

Ciao ciao
thesp0nge
-- 
Owasp Orizon leader
orizon.sourceforge.net
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________


*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************