Secure Coding mailing list archives
Dark Reading - Discovery and management - Security StartupsMake Debut - Security News Analysis
From: gem at cigital.com (Gary McGraw)
Date: Mon, 22 Jan 2007 15:36:17 -0500
On page 107 of "Software Security" www.swsec.com <http://www.swsec.com> , I talk about this very issue in a bit more depth. I have attached a pdf snapshot of that page from the book. I think the idea of binary analysis is a great one for many reasons (see Exploiting Software for a ton of examples), and I am glad that Veracode has come out of stealth mode. However, this should be treated as an arrow in our quiver, not as the ultimate weapon. I think the best part of the business model these guys are pursuing is the idea of holding COTS vendors accountable by outting them to their more dilligent customers. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com _____ From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Kenneth Van Wyk Sent: Monday, January 22, 2007 1:53 PM To: Secure Coding Subject: [SC-L] Dark Reading - Discovery and management - Security StartupsMake Debut - Security News Analysis Ok, last software security news item for today, I promise. :-) This article (see http://www.darkreading.com/document.asp?doc_id=115110&WT.svl=news1_1) is about a couple of new startup companies. One of them in particular, Veracode, may be of some interest here. The article says, "Veracode, founded by Chris Wysopal and other former executives of @stake, is now offering patented binary-code analysis of software for enterprises that want to analyze their software's security on a regular basis. The ASP will also offer security reviews of enterprise products and security analysis of third-party apps for software developers." The article also provides some counterpoints, including some from Gary McGraw, that are worth reading. Among other things, Gary says, "However, if you want real security analysis you have to go past the binary, past the source code, and actually consider the design." Opinions on binary vs. source code (and design!) analysis, anyone? Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20070122/6c446c43/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: binary-analysis.pdf Type: application/octet-stream Size: 69649 bytes Desc: binary-analysis.pdf Url : http://krvw.com/pipermail/sc-l/attachments/20070122/6c446c43/attachment-0001.obj
Current thread:
- Dark Reading - Discovery and management - Security StartupsMake Debut - Security News Analysis Gary McGraw (Jan 22)