Dark Reading - Discovery and management - Security StartupsMake Debut - Security News Analysis

[gem at cigital.com (Gary McGraw)]

On page 107 of "Software Security" www.swsec.com <http://www.swsec.com>
, I talk about this very issue in a bit more depth.  I have attached a
pdf snapshot of that page from the book.
 
I think the idea of binary analysis is a great one for many reasons (see
Exploiting Software for a ton of examples), and I am glad that Veracode
has come out of stealth mode.  However, this should be treated as an
arrow in our quiver, not as the ultimate weapon.  I think the best part
of the business model these guys are pursuing is the idea of holding
COTS vendors accountable by outting them to their more dilligent
customers.
 
gem
 
company www.cigital.com
podcast www.cigital.com/silverbullet
book www.swsec.com 

  _____  

From: sc-l-bounces at securecoding.org
[mailto:sc-l-bounces at securecoding.org] On Behalf Of Kenneth Van Wyk
Sent: Monday, January 22, 2007 1:53 PM
To: Secure Coding
Subject: [SC-L] Dark Reading - Discovery and management - Security
StartupsMake Debut - Security News Analysis


Ok, last software security news item for today, I promise.  :-)  This
article (see 
http://www.darkreading.com/document.asp?doc_id=115110&WT.svl=news1_1) is
about a couple of new startup companies.  One of them in particular,
Veracode, may be of some interest here.  The article says, "Veracode,
founded by Chris Wysopal and other former executives of @stake, is now
offering patented binary-code analysis of software for enterprises that
want to analyze their software's security on a regular basis. The ASP
will also offer security reviews of enterprise products and security
analysis of third-party apps for software developers." 

The article also provides some counterpoints, including some from Gary
McGraw, that are worth reading.  Among other things, Gary says,
"However, if you want real security analysis you have to go past the
binary, past the source code, and actually consider the design."


Opinions on binary vs. source code (and design!) analysis, anyone?


Cheers,


Ken
-----
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070122/6c446c43/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: binary-analysis.pdf
Type: application/octet-stream
Size: 69649 bytes
Desc: binary-analysis.pdf
Url : http://krvw.com/pipermail/sc-l/attachments/20070122/6c446c43/attachment-0001.obj