WebApp Sec mailing list archives
Clarification to: -->calling all software security tool vendors/freeware/open source project leads
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Sat, 12 Mar 2005 19:44:00 -0600
On Friday my admittedly small mind produced the email included below, which has resulted in a lot of well-meaning replies not in the area I am looking for. The problem is that I declined to provide a translation key for my ambiguous terminology. "Software Security Tools" = "Software tools to test or fix applications at the source code, binary, or UI level". Examples of fault-injection tools at interface level are: SPIKE, WebInspect, NTOSpider, etc. Examples at the binary level are: IDA Pro, @stake's disappearing analyzers, Fortify, possibly others that I am missing. Examples at the source level are: Secure Software, Compuware, Coverity, and any number of static signature matchers (like RATS). I'm also including sandboxing tools, like Holodeck and how to use sysinternals tools for sandboxing. I am not including traditional network Vuln Scanners. I am also not covering access controls like webappsec Firewalls or IDS, stack-protectors, anti-virus, HIDS, HIPS, HOAX, etc. All these are essentially access controls to prevent access to fundamentally broken code. I'm interesting in finding and fixing that code, and those are the tools I'm looking for. I am BCCing secprog, vuln-dev, webappsec, and SC-L which I forgot to do last time to prevent duplicate postings. Have a great weekend and thanks for all the follow-up so far, -ae
-----Original Message----- From: Evans, Arian Sent: Friday, March 11, 2005 5:36 PM To: secprog () securityfocus com; webappsec () securityfocus com; SC-L () securecoding org; vuln-dev () securityfocus com If you are a vendor of a software security tool, fault injection, binary analysis, source code analysis, blah-foo, etc., please contact me if we haven't spoken already. I am finalizing a comprehensive list and doing a final check to make sure I've accounted for all the software security tool vendors. nota bene; I'm excluding appsec firewalls & NIDS (web, db, etc.) as part of the access control pool which may become a later review project but is not part of "software security tools". Thanks, Arian Evans Sr. Security Engineer FishNet Security Phone: 816.421.6611 Toll Free: 888.732.9406 Fax: 816.421.6677 http://www.fishnetsecurity.com
Current thread:
- Clarification to: -->calling all software security tool vendors/freeware/open source project leads Evans, Arian (Mar 13)