News flurry: informIT, Java Rules, and Microsoft's SDL Pro network

[gem at cigital.com (Gary McGraw)]

hi sc-l,

It's a busy week for announcements of some things that have been brewing at Cigital for a while.  The first and most 
relevant to sc-l is a set of Fortify rules that we released today.  We've been building and using custom rules for many 
of the code scanning tools for a while now, and we're psyched to share a bunch of the non-proprietary ones with the 
community via open source.

You can get the Cigital Java Security Rulepack 1.0 here:
http://www.cigital.com/securitypack/

Briefly, the rules enhance Fortify's coverage of Java and include specialized rules about J2EE, Struts, Java Crypto, 
and some other things.  You can actually look at the rules (and tweak them if you want).  We've found that custom rules 
significantly enhance uptake of static analysis tools in large dev shops, especially when rules are customized for the 
shop itself.

My latest informIT column is about getting past the bug parade and focusing some attention on flaws.  Custom rules help 
by moving up the bug hierarchy towards flaws (but can't replace practices like  threat modeling and Architectural Risk 
Analysis).  You can read all about that here:
http://www.informit.com/articles/article.aspx?p=1248057

Finally, Microsoft announced their new SDL Pro Network of nine companies prepared to roll out the SDL more widely.  As 
the largest provider of software security services on this tiny planet, we're happy to be involved in that.  For more 
on that, see Justice League:
http://www.cigital.com/justiceleague/2008/09/16/strengthening-software-security-through-collaboration/

As always, we're interested in your feedback.  Like the rules?  Think hawking the SDL is good?  Care about flaws as 
much as the bugs everyone is always going on about??

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com