Re: InformIT: comparing static analysis tools

["Arian J. Evans" <arian.evans () anachronic com>]

Great article, Gary. Many of your comments about static technology
challenges I have seen and verified first-hand, including
multi-million dollar cost overruns. After some great dialogue with
John Stevens, I suspect we have had similar experiences.

I was just about to write a similar article at a higher level - about
how the vast majority of enterprise customers I work with are actively
moving security into the SDLC. The time has come, the event has
tipped, and SDLC security is indeed mainstream. This is an exciting
time to be in the industry.

However - I was curious about your comments about dynamic tools
"reaching their limit" or something like that, as customers move
security efforts deeper into the SDLC. What does that mean?

I see customers making extensive use of dynamic testing, and
leveraging it deeper and deeper into the SDLC. Enterprises are
aggressively rolling out and expanding dynamic testing earlier in the
SDLC. Newer dynamic testing technologies help solve/reduce some of the
key pain points that static technologies alone are causing them, as
you so well illustrated..
.
I am very interested in why you sound dismissive of these successful
technologies? Your article makes it sound like they are hitting some
invisible limit, when in fact hundreds of enterprises are expanding
dynamic testing in the SDLC. And these are serious projects that run
into the 7-figures.

Any insight you can share would be appreciated!

Great work identifying the general shift SDLC security is moving mainstream,

---
Arian Evans
Software Security Referee



On Wed, Feb 2, 2011 at 6:48 AM, Gary McGraw <gem () cigital com> wrote:
> hi sc-l,
>
> John Steven and I recently collaborated on an article for informIT.  The article is called "Software [In]security: 
> Comparing Apples, Oranges, and Aardvarks (or, All Static Analysis Tools Are Not Created Equal)" and is available here:
> http://www.informit.com/articles/article.aspx?p=1680863
>
> Now that static analysis tools like Fortify and Ounce are hitting the mainstream there are many potential customers 
> who want to compare them and pick the best one.  We explain why that's more difficult than it sounds at first and 
> what to watch out for as you begin to compare tools.  We did this in order to get out in front of "test suites" that 
> purport to work for tool comparison.  If you wonder why such suites may not work as advertised, read the article.
>
> Your feedback is welcome.
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L () securecoding org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> _______________________________________________

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________