Secure Coding mailing list archives
RE: Comparing Scanning Tools
From: jsteven at cigital.com (John Steven)
Date: Wed, 14 Jun 2006 12:51:50 -0400
All, Sorry it took so long, but I've finally got the new string of Building Security In (BSI) articles up on Cigital's website. Brian Chess (of Fortify Software) and Pravir Chandra (of Secure Software) and I collaborated on an article regarding adopting code analysis tools that might be of interest: http://www.cigital.com/papers/download/j3bsi.pdf Check it out. I'd say it's "up and coming" rather than "here", but some of my more advanced clients have surprisingly good ideas on how to assure outsourced development. As one might imagine, they involve: * Running code analysis tools, penetration tools * Defining/running programmatic destructive (what they call UAT, though they're much deeper) tests * Incorporating language (in addition to what's provided by OWASP) about SLA, QoS, and vulnerability remediation during maintenance * and other controls I've seen/helped in rare cases with conducting software architectural analyses to determine if the vendor's solution introduced security flaws in pursuit of the contracted requirements. Of course, hard problems still exist... not the least of which being the pragmatics of allowing off-shore vendors to promote into production, hold staging or production secrets, access to production data stores, and so forth. It's no shock that an organization must have a handle on how much software development and maintenance really costs before it allows these budgetary 'hits' explicitly. In the end though, they'll get paid out anyways on the backend. ---- John Steven Technical Director; Principal, Software Security Group Direct: (703) 404-5726 Cell: (703) 727-4034 Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F http://www.cigital.com Software Confidence. Achieved. On Jun 9, 2006, at 2:32 PM, Jeremy Epstein wrote:
--===============1664004964== Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C68BF3.086B16AC" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C68BF3.086B16AC Content-Type: text/plain At the RSA Conference in February, I went to a reception hosted by a group called "Secure Software Forum" (not to be confused with the company Secure Software Inc, which offers a product competitive to Fortify). They had a panel session where representatives from a couple of companies not in the software/technology business claimed that they're making contractual requirements in this area (i.e., that vendors are required to assert as part of the contract what measures they use to assure their code). So I guess there's proof by construction that companies other than Microsoft & Oracle care. Having said that, it's completely at odds compared to what I see working for an ISV of a non-security product. That is, I almost never have prospects/customers ask me what we do to assure our software. If it happened more often, I'd be able to get more budget to do the analysis that I think all vendors should do :-( --Jeremy P.S. Since Brian provided a link to a press release about Oracle using Fortify, I'll offer a link about a financial services company using Secure Software: http://www.securesoftware.com/news/releases/20050725.html <http://www.securesoftware.com/news/releases/20050725.html> _____ From: sc-l-bounces at securecoding.org [mailto:sc-l- bounces at securecoding.org] On Behalf Of McGovern, James F (HTSC, IT) Sent: Friday, June 09, 2006 12:10 PM To: Secure Mailing List Subject: RE: [SC-L] RE: Comparing Scanning Tools I think I should have been more specific in my first post. I should have phrased it as I have yet to find a large enterprise whose primary business isn't software or technology that has made a significant investment in such tools. Likewise, a lot of large enteprrises are shifting away from building inhouse to either outsourcing and/or buying which means that secure coding practices should also be enforced via procurement agreements. Has anyone here ran across contract clauses that assist in this regard? -----Original Message----- From: Gunnar Peterson [mailto:gunnar at arctecgroup.net] Sent: Friday, June 09, 2006 8:48 AM To: Brian Chess; Secure Mailing List; McGovern, James F (HTSC, IT) Subject: Re: [SC-L] RE: Comparing Scanning Tools Right, because their customers (are starting to) demand more secure code from their technology. In the enterprise space the financial, insurance, healthcare companies who routinely lose their customer's data and provide their customers with vulnerability-laden apps have not yet seen the same amount of customer demand for this, but 84 million public lost records later ( http://www.privacyrights.org/ar/ChronDataBreaches.htm) <http://www.privacyrights.org/ar/ChronDataBreaches.htm)> this may begin to change. -gp On 6/9/06 1:45 AM, "Brian Chess" <brian at fortifysoftware.com> wrote: McGovern, James F wrote:I have yet to find a large enterprise that has made a significantinvestment in such tools. I'll give you pointers to two. They're two of the three largest software companies in the world. http://news.com.com/2100-1002_3-5220488.html <http://news.com.com/2100-1002_3-5220488.html> http://news.zdnet.com/2100-3513_22-6002747.html <http://news.zdnet.com/2100-3513_22-6002747.html> Brian _____ _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/ listinfo/sc-l <http://krvw.com/mailman/listinfo/sc-l> List charter available at - http://www.securecoding.org/list/ charter.php <http://www.securecoding.org/list/charter.php> ********************************************************************** *** This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ********************************************************************** *** ------_=_NextPart_001_01C68BF3.086B16AC Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <TITLE>Re: [SC-L] RE: Comparing Scanning Tools</TITLE> <META content=3D"MSHTML 6.00.2900.2876" name=3DGENERATOR></HEAD> <BODY> <DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT = face=3DArial=20 color=3D#0000ff size=3D2>At the RSA Conference in February, I went to a = reception=20 hosted by a group called "Secure Software Forum" (not to be = confused with=20 the company Secure Software Inc, which offers a product competitive to=20 Fortify). They had a panel session where representatives from a = couple of=20 companies not in the software/technology business claimed that they're = making=20 contractual requirements in this area (i.e., that vendors are required = to assert=20 as part of the contract what measures they use to assure their = code). So I=20 guess there's proof by construction that companies other than Microsoft = &=20 Oracle care.</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT = face=3DArial=20 color=3D#0000ff size=3D2>Having said that, it's completely at odds = compared to what=20 I see working for an ISV of a non-security product. That is, I = almost=20 never have prospects/customers ask me what we do to assure our = software. If it=20 happened more often, I'd be able to get more budget to do the analysis = that I=20 think all vendors should do :-(</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT = face=3DArial=20 color=3D#0000ff size=3D2>--Jeremy</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D545111618-09062006><FONT = face=3DArial=20 color=3D#0000ff size=3D2>P.S. Since Brian provided a link to a press = release about=20 Oracle using Fortify, I'll offer a link about a financial services = company using=20 Secure Software: <A=20 href=3D"http://www.securesoftware.com/news/releases/ 20050725.html">http:= //www.securesoftware.com/news/releases/20050725.html</A></FONT></ SPAN></= DIV><BR> <BLOCKQUOTE=20 style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px = solid; MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr = align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B> = sc-l-bounces at securecoding.org=20 [mailto:sc-l-bounces at securecoding.org] <B>On Behalf Of </ B>McGovern, = James F=20 (HTSC, IT)<BR><B>Sent:</B> Friday, June 09, 2006 12:10 = PM<BR><B>To:</B> Secure=20 Mailing List<BR><B>Subject:</B> RE: [SC-L] RE: Comparing Scanning=20 Tools<BR></FONT><BR></DIV> <DIV></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN = class=3D617262813-09062006>I=20 think I should have been more specific in my first post. I should = have phrased=20 it as I have yet to find a large enterprise whose primary business = isn't=20 software or technology that has made a significant investment in such = tools.</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D617262813-09062006></SPAN></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D617262813-09062006>Likewise, a lot of large enteprrises are = shifting=20 away from building inhouse to either outsourcing and/or buying which = means=20 that secure coding practices should also be enforced via procurement=20 agreements. Has anyone here ran across contract clauses that assist = in this=20 regard?</SPAN></FONT></DIV> <BLOCKQUOTE> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Gunnar Peterson = [mailto:gunnar at arctecgroup.net]<BR><B>Sent:</B> Friday, June 09, = 2006 8:48=20 AM<BR><B>To:</B> Brian Chess; Secure Mailing List; McGovern, James = F (HTSC,=20 IT)<BR><B>Subject:</B> Re: [SC-L] RE: Comparing Scanning=20 Tools<BR><BR></FONT></DIV><FONT face=3D"Verdana, Helvetica, = Arial"><SPAN=20 style=3D"FONT-SIZE: 12px">Right, because their customers (are = starting to)=20 demand more secure code from their technology. In the enterprise = space the=20 financial, insurance, healthcare companies who routinely lose their = customer’s data and provide their customers with = vulnerability-laden apps=20 have not yet seen the same amount of customer demand for this, but = 84=20 million public lost records later ( <A=20 = href=3D"http://www.privacyrights.org/ar/ ChronDataBreaches.htm)">http://w= ww.privacyrights.org/ar/ChronDataBreaches.htm)</A>=20 this may begin to change.<BR><BR>-gp<BR><BR><BR>On 6/9/06 1:45 AM, = "Brian=20 Chess" <brian at fortifysoftware.com> = wrote:<BR><BR></SPAN></FONT> <BLOCKQUOTE><FONT face=3D"Verdana, Helvetica, Arial"><SPAN=20 style=3D"FONT-SIZE: 12px">McGovern, James F wrote:<BR><BR>> I = have yet to=20 find a large enterprise that has made a significant investment in = such=20 tools. <BR><BR>I’ll give you pointers to two. = They’re two of the=20 three largest software companies in the world.<BR><BR><A=20 = href=3D"http://news.com.com/2100-1002_3-5220488.html">http:// news.com.co= m/2100-1002_3-5220488.html</A><BR><A=20 = href=3D"http://news.zdnet.com/2100-3513_22-6002747.html">http:// news.zdn= et.com/2100-3513_22-6002747.html</A><BR><BR>Brian<BR><BR> <HR align=3Dcenter width=3D"95%" SIZE=3D3> </SPAN></FONT><FONT size=3D2><FONT face=3D"Monaco, Courier = New"><SPAN=20 style=3D"FONT-SIZE: = 10px">_______________________________________________<BR>Secure=20 Coding mailing list (SC-L)<BR>SC-L at securecoding.org<BR>List = information,=20 subscriptions, etc - <A=20 = href=3D"http://krvw.com/mailman/listinfo/sc-l">http://krvw.com/ mailman/l= istinfo/sc-l</A><BR>List=20 charter available at - <A=20 = href=3D"http://www.securecoding.org/list/charter.php">http:// www.securec= oding.org/list/charter.php</A><BR></SPAN></FONT></FONT></ BLOCKQUOTE><FON= T=20 size=3D2><FONT face=3D"Monaco, Courier New"><SPAN=20 style=3D"FONT-SIZE: 10px"><BR></BLOCKQUOTE></SPAN></FONT></ FONT><FONT = = size=3D3><BR><BR>***************************************************** **= ******************<BR>This=20 communication, including attachments, is<BR>for the exclusive use of = addressee=20 and may contain proprietary,<BR>confidential and/or privileged = information. If=20 you are not the intended<BR>recipient, any use, copying, disclosure,=20 dissemination or distribution is<BR>strictly prohibited. If you are = not the=20 intended recipient, please notify<BR>the sender immediately by return = e-mail,=20 delete this communication and<BR>destroy all=20 = copies.<BR>*********************************************************** **= ************<BR></BLOCKQUOTE></FONT></BODY></HTML> ------_=_NextPart_001_01C68BF3.086B16AC-- --===============1664004964== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/ listinfo/sc-l List charter available at - http://www.securecoding.org/list/ charter.php --===============1664004964==--
---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ----------------------------------------------------------------------------
Current thread:
- Comparing Scanning Tools, (continued)
- Comparing Scanning Tools McGovern, James F (HTSC, IT) (Jun 08)
- Comparing Scanning Tools Gunnar Peterson (Jun 08)
- Re: Comparing Scanning Tools Brian Chess (Jun 08)
- RE: Comparing Scanning Tools Brian Chess (Jun 08)
- RE: Comparing Scanning Tools Gunnar Peterson (Jun 09)
- RE: Comparing Scanning Tools McGovern, James F (HTSC, IT) (Jun 09)
- RE: Comparing Scanning Tools Dave Wichers (Jun 09)
- RE: Comparing Scanning Tools Jeremy Epstein (Jun 09)
- RE: Comparing Scanning Tools ljknews (Jun 09)
- RE: Comparing Scanning Tools Michael Mucha (Jun 12)
- RE: Comparing Scanning Tools John Steven (Jun 14)
- Comparing Scanning Tools McGovern, James F (HTSC, IT) (Jun 08)