Re: InformIT: comparing static analysis tools

[John Steven <jsteven () cigital com>]

All,

I followed this article up with a blog entry, more targeted at adopting organizations. I hope you find it useful:

http://www.cigital.com/justiceleague/2011/02/02/if-its-so-hard-why-bother/

----
John Steven
Senior Director; Advanced Technology Consulting
Desk: 703.404.9293 x1204 Cell: 703.727.4034
Key fingerprint = 4772 F7F3 1019 4668 62AD  94B0 AE7F EEF4 62D5 F908

Blog: http://www.cigital.com/justiceleague
Papers: http://www.cigital.com/papers/jsteven
http://www.cigital.com
Software Confidence. Achieved.


> hi sc-l,
>
> John Steven and I recently collaborated on an article for informIT.  The article is called "Software [In]security: 
> Comparing Apples, Oranges, and Aardvarks (or, All Static Analysis Tools Are Not Created Equal)" and is available here:
>
> http://www.informit.com/articles/article.aspx?p=1680863
>
>
> Now that static analysis tools like Fortify and Ounce are hitting the mainstream there are many potential customers 
> who want to compare them and pick the best one.  We explain why that's more difficult than it sounds at first and 
> what to watch out for as you begin to compare tools.  We did this in order to get out in front of "test suites" that 
> purport to work for tool comparison.  If you wonder why such suites may not work as advertised, read the article.
>
> Your feedback is welcome.

Attachment: smime.p7s
Description:

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________