RE: Comparing Scanning Tools

[jsteven at cigital.com (John Steven)]

All,

Sorry it took so long, but I've finally got the new string of  
Building Security In (BSI) articles up on Cigital's website. Brian  
Chess (of Fortify Software) and Pravir Chandra (of Secure Software)  
and I collaborated on an article regarding adopting code analysis  
tools that might be of interest:

http://www.cigital.com/papers/download/j3bsi.pdf

Check it out. I'd say it's "up and coming" rather than "here", but  
some of my more advanced clients have surprisingly good ideas on how  
to assure outsourced development. As one might imagine, they involve:

* Running code analysis tools, penetration tools
* Defining/running programmatic destructive (what they call UAT,  
though they're much deeper) tests
* Incorporating language (in addition to what's provided by OWASP)  
about SLA, QoS, and vulnerability remediation during maintenance
* and other controls

I've seen/helped in rare cases with conducting software architectural  
analyses to determine if the vendor's solution introduced security  
flaws in pursuit of the contracted requirements.

Of course, hard problems still exist... not the least of which being  
the pragmatics of allowing off-shore vendors to promote into  
production, hold staging or production secrets, access to production  
data stores, and so forth.

It's no shock that an organization must have a handle on how much  
software development and maintenance really costs before it allows  
these budgetary 'hits' explicitly. In the end though, they'll get  
paid out anyways on the backend.

----
John Steven
Technical Director; Principal, Software Security Group
Direct: (703) 404-5726 Cell: (703) 727-4034
Key fingerprint = 4772 F7F3 1019 4668 62AD  94B0 AE7F
http://www.cigital.com
Software Confidence. Achieved.


On Jun 9, 2006, at 2:32 PM, Jeremy Epstein wrote:

> --===============1664004964==
> Content-Type: multipart/alternative;
>       boundary="----_=_NextPart_001_01C68BF3.086B16AC"
>
> This message is in MIME format. Since your mail reader does not  
> understand
> this format, some or all of this message may not be legible.
>
> ------_=_NextPart_001_01C68BF3.086B16AC
> Content-Type: text/plain
>
> At the RSA Conference in February, I went to a reception hosted by  
> a group
> called "Secure Software Forum" (not to be confused with the company  
> Secure
> Software Inc, which offers a product competitive to Fortify).  They  
> had a
> panel session where representatives from a couple of companies not  
> in the
> software/technology business claimed that they're making contractual
> requirements in this area (i.e., that vendors are required to  
> assert as part
> of the contract what measures they use to assure their code).  So I  
> guess
> there's proof by construction that companies other than Microsoft &  
> Oracle
> care.
>
> Having said that, it's completely at odds compared to what I see  
> working for
> an ISV of a non-security product.  That is, I almost never have
> prospects/customers ask me what we do to assure our software. If it  
> happened
> more often, I'd be able to get more budget to do the analysis that  
> I think
> all vendors should do :-(
>
> --Jeremy
>
> P.S. Since Brian provided a link to a press release about Oracle using
> Fortify, I'll offer a link about a financial services company using  
> Secure
> Software: http://www.securesoftware.com/news/releases/20050725.html
> <http://www.securesoftware.com/news/releases/20050725.html>
>
>
>   _____
>
> From: sc-l-bounces at securecoding.org [mailto:sc-l- 
> bounces at securecoding.org]
> On Behalf Of McGovern, James F (HTSC, IT)
> Sent: Friday, June 09, 2006 12:10 PM
> To: Secure Mailing List
> Subject: RE: [SC-L] RE: Comparing Scanning Tools
>
>
> I think I should have been more specific in my first post. I should  
> have
> phrased it as I have yet to find a large enterprise whose primary  
> business
> isn't software or technology that has made a significant investment  
> in such
> tools.
>
> Likewise, a lot of large enteprrises are shifting away from  
> building inhouse
> to either outsourcing and/or buying which means that secure coding  
> practices
> should also be enforced via procurement agreements. Has anyone here  
> ran
> across contract clauses that assist in this regard?
>
> -----Original Message-----
> From: Gunnar Peterson [mailto:gunnar at arctecgroup.net]
> Sent: Friday, June 09, 2006 8:48 AM
> To: Brian Chess; Secure Mailing List; McGovern, James F (HTSC, IT)
> Subject: Re: [SC-L] RE: Comparing Scanning Tools
>
>
> Right, because their customers (are starting to) demand more secure  
> code
> from their technology. In the enterprise space the financial,  
> insurance,
> healthcare companies who routinely lose their customer's data and  
> provide
> their customers with vulnerability-laden apps have not yet seen the  
> same
> amount of customer demand for this, but 84 million public lost  
> records later
> ( http://www.privacyrights.org/ar/ChronDataBreaches.htm)
> <http://www.privacyrights.org/ar/ChronDataBreaches.htm)>  this may  
> begin to
> change.
>
> -gp
>
>
> On 6/9/06 1:45 AM, "Brian Chess" <brian at fortifysoftware.com> wrote:
>
>
>
> McGovern, James F wrote:
>
> > I have yet to find a large enterprise that has made a significant
> investment in such tools.
>
> I'll give you pointers to two.  They're two of the three largest  
> software
> companies in the world.
>
> http://news.com.com/2100-1002_3-5220488.html
> <http://news.com.com/2100-1002_3-5220488.html>
> http://news.zdnet.com/2100-3513_22-6002747.html
> <http://news.zdnet.com/2100-3513_22-6002747.html>
>
> Brian
>
>
>   _____
>
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/ 
> listinfo/sc-l
> <http://krvw.com/mailman/listinfo/sc-l>
> List charter available at - http://www.securecoding.org/list/ 
> charter.php
> <http://www.securecoding.org/list/charter.php>
>
>
>
>
>
>
>
> ********************************************************************** 
> ***
> This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information. If you are not the  
> intended
> recipient, any use, copying, disclosure, dissemination or  
> distribution is
> strictly prohibited. If you are not the intended recipient, please  
> notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> ********************************************************************** 
> ***
>
>
>
> ------_=_NextPart_001_01C68BF3.086B16AC
> Content-Type: text/html
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Dus-ascii">
> <TITLE>Re: [SC-L] RE: Comparing Scanning Tools</TITLE>
>
> <META content=3D"MSHTML 6.00.2900.2876" name=3DGENERATOR></HEAD>
> <BODY>
> <DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT =
> face=3DArial=20
> color=3D#0000ff size=3D2>At the RSA Conference in February, I went  
> to a =
> reception=20
> hosted by a group called "Secure Software Forum"&nbsp;(not to be =
> confused with=20
> the company Secure Software Inc, which offers a product competitive  
> to=20
> Fortify).&nbsp; They had a panel session where representatives from  
> a =
> couple of=20
> companies not in the software/technology business claimed that  
> they're =
> making=20
> contractual requirements in this area (i.e., that vendors are  
> required =
> to assert=20
> as part of the contract what measures they use to assure their =
> code).&nbsp; So I=20
> guess there's proof by construction that companies other than  
> Microsoft =
> &amp;=20
> Oracle care.</FONT></SPAN></DIV>
> <DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT =
> face=3DArial=20
> color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
> <DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT =
> face=3DArial=20
> color=3D#0000ff size=3D2>Having said that, it's completely at odds =
> compared to what=20
> I see working for an ISV of a non-security product.&nbsp; That is, I =
> almost=20
> never have prospects/customers ask me what we do to assure our =
> software. If it=20
> happened more often, I'd be able to get more budget to do the  
> analysis =
> that I=20
> think all vendors should do&nbsp;:-(</FONT></SPAN></DIV>
> <DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT =
> face=3DArial=20
> color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
> <DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT =
> face=3DArial=20
> color=3D#0000ff size=3D2>--Jeremy</FONT></SPAN></DIV>
> <DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT =
> face=3DArial=20
> color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
> <DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT =
> face=3DArial=20
> color=3D#0000ff size=3D2>P.S. Since Brian provided a link to a press =
> release about=20
> Oracle using Fortify, I'll offer a link about a financial services =
> company using=20
> Secure Software: <A=20
> href=3D"http://www.securesoftware.com/news/releases/ 
> 20050725.html">http:=
> //www.securesoftware.com/news/releases/20050725.html</A></FONT></ 
> SPAN></=
> DIV><BR>
> <BLOCKQUOTE=20
> style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff  
> 2px =
> solid; MARGIN-RIGHT: 0px">
>   <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
> align=3Dleft>
>   <HR tabIndex=3D-1>
>   <FONT face=3DTahoma size=3D2><B>From:</B> =
> sc-l-bounces at securecoding.org=20
>   [mailto:sc-l-bounces at securecoding.org] <B>On Behalf Of </ 
> B>McGovern, =
> James F=20
>   (HTSC, IT)<BR><B>Sent:</B> Friday, June 09, 2006 12:10 =
> PM<BR><B>To:</B> Secure=20
>   Mailing List<BR><B>Subject:</B> RE: [SC-L] RE: Comparing Scanning=20
>   Tools<BR></FONT><BR></DIV>
>   <DIV></DIV>
>   <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
> class=3D617262813-09062006>I=20
>   think I should have been more specific in my first post. I should =
> have phrased=20
>   it as I have yet to find a large enterprise whose primary business =
> isn't=20
>   software or technology that has made a significant investment in  
> such =
>
>   tools.</SPAN></FONT></DIV>
>   <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
>   class=3D617262813-09062006></SPAN></FONT>&nbsp;</DIV>
>   <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
>   class=3D617262813-09062006>Likewise, a lot of large enteprrises  
> are =
> shifting=20
>   away from building inhouse to either outsourcing and/or buying  
> which =
> means=20
>   that secure coding practices should also be enforced via  
> procurement=20
>   agreements. Has anyone here ran across contract clauses that  
> assist =
> in this=20
>   regard?</SPAN></FONT></DIV>
>   <BLOCKQUOTE>
>     <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
> face=3DTahoma=20
>     size=3D2>-----Original Message-----<BR><B>From:</B> Gunnar  
> Peterson =
>
>     [mailto:gunnar at arctecgroup.net]<BR><B>Sent:</B> Friday, June 09, =
> 2006 8:48=20
>     AM<BR><B>To:</B> Brian Chess; Secure Mailing List; McGovern,  
> James =
> F (HTSC,=20
>     IT)<BR><B>Subject:</B> Re: [SC-L] RE: Comparing Scanning=20
>     Tools<BR><BR></FONT></DIV><FONT face=3D"Verdana, Helvetica, =
> Arial"><SPAN=20
>     style=3D"FONT-SIZE: 12px">Right, because their customers (are =
> starting to)=20
>     demand more secure code from their technology. In the enterprise =
> space the=20
>     financial, insurance, healthcare companies who routinely lose  
> their =
>
>     customer&#8217;s data and provide their customers with =
> vulnerability-laden apps=20
>     have not yet seen the same amount of customer demand for this,  
> but =
> 84=20
>     million public lost records later ( <A=20
>     =
> href=3D"http://www.privacyrights.org/ar/ 
> ChronDataBreaches.htm)">http://w=
> ww.privacyrights.org/ar/ChronDataBreaches.htm)</A>=20
>     this may begin to change.<BR><BR>-gp<BR><BR><BR>On 6/9/06 1:45  
> AM, =
> "Brian=20
>     Chess" &lt;brian at fortifysoftware.com&gt; =
> wrote:<BR><BR></SPAN></FONT>
>     <BLOCKQUOTE><FONT face=3D"Verdana, Helvetica, Arial"><SPAN=20
>       style=3D"FONT-SIZE: 12px">McGovern, James F  
> wrote:<BR><BR>&gt; I =
> have yet to=20
>       find a large enterprise that has made a significant  
> investment in =
> such=20
>       tools. <BR><BR>I&#8217;ll give you pointers to two. =
> &nbsp;They&#8217;re two of the=20
>       three largest software companies in the world.<BR><BR><A=20
>       =
> href=3D"http://news.com.com/2100-1002_3-5220488.html";>http:// 
> news.com.co=
> m/2100-1002_3-5220488.html</A><BR><A=20
>       =
> href=3D"http://news.zdnet.com/2100-3513_22-6002747.html";>http:// 
> news.zdn=
> et.com/2100-3513_22-6002747.html</A><BR><BR>Brian<BR><BR>
>       <HR align=3Dcenter width=3D"95%" SIZE=3D3>
>       </SPAN></FONT><FONT size=3D2><FONT face=3D"Monaco, Courier =
> New"><SPAN=20
>       style=3D"FONT-SIZE: =
> 10px">_______________________________________________<BR>Secure=20
>       Coding mailing list (SC-L)<BR>SC-L at securecoding.org<BR>List =
> information,=20
>       subscriptions, etc - <A=20
>       =
> href=3D"http://krvw.com/mailman/listinfo/sc-l";>http://krvw.com/ 
> mailman/l=
> istinfo/sc-l</A><BR>List=20
>       charter available at - <A=20
>       =
> href=3D"http://www.securecoding.org/list/charter.php";>http:// 
> www.securec=
> oding.org/list/charter.php</A><BR></SPAN></FONT></FONT></ 
> BLOCKQUOTE><FON=
> T=20
>     size=3D2><FONT face=3D"Monaco, Courier New"><SPAN=20
>   style=3D"FONT-SIZE: 10px"><BR></BLOCKQUOTE></SPAN></FONT></ 
> FONT><FONT =
>
>   =
> size=3D3><BR><BR>***************************************************** 
> **=
> ******************<BR>This=20
>   communication, including attachments, is<BR>for the exclusive use  
> of =
> addressee=20
>   and may contain proprietary,<BR>confidential and/or privileged =
> information. If=20
>   you are not the intended<BR>recipient, any use, copying,  
> disclosure,=20
>   dissemination or distribution is<BR>strictly prohibited. If you  
> are =
> not the=20
>   intended recipient, please notify<BR>the sender immediately by  
> return =
> e-mail,=20
>   delete this communication and<BR>destroy all=20
>   =
> copies.<BR>*********************************************************** 
> **=
> ************<BR></BLOCKQUOTE></FONT></BODY></HTML>
>
> ------_=_NextPart_001_01C68BF3.086B16AC--
>
> --===============1664004964==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/ 
> listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/ 
> charter.php
>
> --===============1664004964==--



----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------