Re: InformIT: comparing static analysis tools

[Prasad N Shenoy <prasad.shenoy () gmail com>]

Yeah, clear the "cloud" of confusion before talking about the cloud so to speak. Not all SaaS offerings available today 
qualify to be cloud based.

Well, this thread got morphed into a cloudy discussion. Attempting to get back on track, I would say IMHO, it's 
subjective whether the static analysis or dynamic analysis (pen testing/bb testing) technologies have hit the wall - 
depends on who you ask. There is some element of saturation there I believe else the industry (term very generously 
used here)won't be focusing on things like Hybrid Analysis. Having said that, what's the future of HA?

Sent from my iPhone

On Feb 4, 2011, at 12:27 PM, Ben Laurie <benl () google com> wrote:

> On 4 February 2011 09:22, Chris Wysopal <cwysopal () veracode com> wrote:
>  
>
> “Breaking news.  Google says not to use the cloud.  Improving on-premise tools is the future.”
>
>
> My view is personal. However, in general, whether the cloud is a good place for your data depends on your data and 
> the relationship you have with the cloud provider. If your boss says "no, you can't push this stuff outside our 
> network" then clearly the cloud is not the right answer (or your boss doesn't understand the problem).
>  
>  
>
> Sorry, I couldn’t help myself. J
>
>  
>
> -Chris
>
>  
>
> From: Ben Laurie [mailto:benl () google com] 
> Sent: Friday, February 04, 2011 11:34 AM
> To: Jim Manico
> Cc: Chris Wysopal; Secure Code Mailing List
> Subject: Re: [SC-L] InformIT: comparing static analysis tools
>
>  
>
>  
>
> On 3 February 2011 16:02, Jim Manico <jim.manico () owasp org> wrote:
>
> Chris,
>
> I've tried to leverage Veracode in recent engagements. Here is how the conversation went:
>
> Jim:
> "Boss, can I upload all of your code to this cool SaaS service for analysis?"
>
> Client:
> "Uh no, and next time you ask, I'm having you committed".
>
> I'm sure you have faced these objections before. How do you work around them?
>
>  
>
> Don't use SaaS, obviously.
>
>  
>
> I'd rather see LLVM's static analysis tools get improved (the framework, btw, is really nice to work with).
>
>  
>
>
> -Jim Manico
> http://manico.net
>
>
> On Feb 3, 2011, at 1:54 PM, Chris Wysopal <cwysopal () veracode com> wrote:
>
> > Nice article.  In the 5 years Veracode has been selling static analysis services we have seen the market mature.  
> > In the beginning, organizations were down in the weeds. "What false positive rate or false negative rate does the 
> > tool/service have over a test suite such as SAMATE."  Then we saw a move up to looking at the trees.  "Did the 
> > tool/service support the Java frameworks I am using?"  Now we are seeing organizations look at the forest. "Can I 
> > scale static analysis effectively over all my development sites, my outsourcers, and vendors?"  This is a good sign 
> > of a maturing market.
> >
> > It is my firm belief that software security has a consumption problem.  We know what the defects are.  We know how 
> > to fix them.  We even have automation for detecting a lot of them.  The problem is getting the information and 
> > technology to the right person at the right time effectively and managing an organization-wide program.  This is 
> > the next challenge for static analysis. <bias-alert>I think SaaS based software is more easily consumed and this 
> > isn't any different for software security</bias-alert>
> >
> > -Chris
> >
> > -----Original Message-----
> > From: sc-l-bounces () securecoding org [mailto:sc-l-bounces () securecoding org] On Behalf Of Gary McGraw
> > Sent: Wednesday, February 02, 2011 9:49 AM
> > To: Secure Code Mailing List
> > Subject: [SC-L] InformIT: comparing static analysis tools
> >
> > hi sc-l,
> >
> > John Steven and I recently collaborated on an article for informIT.  The article is called "Software [In]security: 
> > Comparing Apples, Oranges, and Aardvarks (or, All Static Analysis Tools Are Not Created Equal)" and is available 
> > here:
> > http://www.informit.com/articles/article.aspx?p=1680863
> >
> > Now that static analysis tools like Fortify and Ounce are hitting the mainstream there are many potential customers 
> > who want to compare them and pick the best one.  We explain why that's more difficult than it sounds at first and 
> > what to watch out for as you begin to compare tools.  We did this in order to get out in front of "test suites" 
> > that purport to work for tool comparison.  If you wonder why such suites may not work as advertised, read the 
> > article.
> >
> > Your feedback is welcome.
> >
> > gem
> >
> > company www.cigital.com
> > podcast www.cigital.com/silverbullet
> > blog www.cigital.com/justiceleague
> > book www.swsec.com
> >
> > _______________________________________________
> > Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - 
> > http://krvw.com/mailman/listinfo/sc-l
> > List charter available at - http://www.securecoding.org/list/charter.php
> > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the 
> > software security community.
> > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> > _______________________________________________
> >
> > _______________________________________________
> > Secure Coding mailing list (SC-L) SC-L () securecoding org
> > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> > List charter available at - http://www.securecoding.org/list/charter.php
> > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> > as a free, non-commercial service to the software security community.
> > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> > _______________________________________________
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L () securecoding org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> _______________________________________________
>
>  
>
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L () securecoding org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> _______________________________________________
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________