Secure Coding mailing list archives
Re: InformIT: comparing static analysis tools
From: John Steven <jsteven () cigital com>
Date: Thu, 3 Feb 2011 16:19:51 -0500
All, I followed this article up with a blog entry, more targeted at adopting organizations. I hope you find it useful: http://www.cigital.com/justiceleague/2011/02/02/if-its-so-hard-why-bother/ ---- John Steven Senior Director; Advanced Technology Consulting Desk: 703.404.9293 x1204 Cell: 703.727.4034 Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908 Blog: http://www.cigital.com/justiceleague Papers: http://www.cigital.com/papers/jsteven http://www.cigital.com Software Confidence. Achieved.
hi sc-l, John Steven and I recently collaborated on an article for informIT. The article is called "Software [In]security: Comparing Apples, Oranges, and Aardvarks (or, All Static Analysis Tools Are Not Created Equal)" and is available here: http://www.informit.com/articles/article.aspx?p=1680863 Now that static analysis tools like Fortify and Ounce are hitting the mainstream there are many potential customers who want to compare them and pick the best one. We explain why that's more difficult than it sounds at first and what to watch out for as you begin to compare tools. We did this in order to get out in front of "test suites" that purport to work for tool comparison. If you wonder why such suites may not work as advertised, read the article. Your feedback is welcome.
Attachment:
smime.p7s
Description:
_______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Re: InformIT: comparing static analysis tools, (continued)
- Re: InformIT: comparing static analysis tools Chris Wysopal (Feb 04)
- Re: InformIT: comparing static analysis tools Chris Eng (Feb 04)
- Re: InformIT: comparing static analysis tools Jim Manico (Feb 04)
- Re: InformIT: comparing static analysis tools Chris Eng (Feb 05)
- Re: InformIT: comparing static analysis tools Prasad N Shenoy (Feb 04)
- free and open online secure coding in C course module Robert Seacord (Feb 04)
- Re: InformIT: comparing static analysis tools Chris Wysopal (Feb 04)
- Re: InformIT: comparing static analysis tools Gary McGraw (Feb 04)
- Re: InformIT: comparing static analysis tools Jeremiah Grossman (Feb 04)