Secure Coding mailing list archives

Re: informIT: Technology transfer

From: Chris Wysopal <cwysopal () veracode com>
Date: Thu, 28 Oct 2010 15:04:52 -0400


Nice article.  There is a piece of this history that predated ITS4 which is L0pht's SLINT which was in 1998 and demoed 
to you and John Viega.

Here was our original description:

http://web.archive.org/web/19990209122838/http://www.l0pht.com/slint.html

From the Feb, 1999 web page:


<excerpt>

Source code security analyzers are publicly available in the black hat community and are being used to scan for 
exploitable code. SLINT will help you render the PD wares obsolete."

What is it?
SLINT is a core product to be sold into an existing GUI development package.
         - Helps people be proactive while writing secure code by highlighting positional hot spots of exploitable 
routines and poor memory allocations.
         - Identifies suspect blocks of code.
         - Makes the task of security review more palatable so you don't need a team of high-level experts to go 
through megabytes of code.
         - Supplies solutions and/or alternatives to problem areas.
         - Most security problems could have been fixed at the beginning of development. Secure applications must start 
with a secure base. The Best *BANG* for the buck is to be proactive at the start of program creation
         - Easy to implement into existing Y2K code review packages

  What will it examine and on what platforms?

         - Unix/NT
         - C, C++ (JAVA in the future)
         - elf-32 binaries
         - a.out files
         - buffer overflows
         - improper SetUID of files
         - randomness code faults
         - race conditions
         - incorrect access of memory
         - improper flags on critical system calls
         - more?

</excerpt>

Sounds very familiar. It is almost hard to believe that was 12 years ago.

SLINT in turn grew out of the black hat community so I won't claim that L0pht had this idea first, just that we took it 
to the "consultingware" level.  I like that term because I lived it with SLINT at L0pht and then UnDeveloper Studio at 
@stake which has become the commercial static code analysis service at Veracode.  Our technology at Veracode followed a 
similar track that the Cigital to Fortify to HP technology has.

-Chris

-----Original Message-----
From: sc-l-bounces () securecoding org [mailto:sc-l-bounces () securecoding org] On Behalf Of Gary McGraw
Sent: Tuesday, October 26, 2010 10:14 AM
To: Secure Code Mailing List
Subject: [SC-L] informIT: Technology transfer

hi sc-l,

From time to time a thread or two has popped up on this list discussing how we get software security into the main 
stream.  One obvious way to do this is through technology transfer.  I am particularly proud of the role that Cigital 
has played getting security-focused static analysis out into the "main stream."  Now that IBM owns Ounce and HP owns 
Fortify we should see significant uptake of the technology worldwide.


My informIT column this month is a case study that follows a technology from Cigital Labs, through Kleiner Perkins and 
Fortify to the mainstream.  As you will see, technology transfer is hard and it takes serious time and effort.  In the 
case of code scanning technology, the effort took two companies, millions of dollars, serious silicon valley 
engineering and ten years.

Read all about it here: <http://www.informit.com/articles/article.aspx?p=1648912>

Your comments and feedback are welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

Current thread:

informIT: Technology transfer Gary McGraw (Oct 27)
- Re: informIT: Technology transfer Chris Wysopal (Oct 28)
  - Re: informIT: Technology transfer Jeremy Epstein (Oct 29)
    - Re: informIT: Technology transfer Gary McGraw (Oct 29)
    - Re: informIT: Technology transfer Chris Wysopal (Oct 29)
    - Re: informIT: Technology transfer Gary McGraw (Oct 30)