WebApp Sec mailing list archives

Clarification to: -->calling all software security tool vendors/freeware/open source project leads

From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Sat, 12 Mar 2005 19:44:00 -0600

On Friday my admittedly small mind produced the email included below,
which has resulted in a lot of well-meaning replies not in the area I
am looking for. The problem is that I declined to provide a translation
key for my ambiguous terminology.

"Software Security Tools" = "Software tools to test or fix applications
at the source code, binary, or UI level".

Examples of fault-injection tools at interface level are:
SPIKE, WebInspect, NTOSpider, etc.

Examples at the binary level are:
IDA Pro, @stake's disappearing analyzers, Fortify, possibly others
that I am missing.

Examples at the source level are: Secure Software, Compuware, Coverity,
and any number of static signature matchers (like RATS).

I'm also including sandboxing tools, like Holodeck and how to use
sysinternals tools for sandboxing.

I am not including traditional network Vuln Scanners.

I am also not covering access controls like webappsec Firewalls
or IDS, stack-protectors, anti-virus, HIDS, HIPS, HOAX, etc.
All these are essentially access controls to prevent access to
fundamentally broken code. I'm interesting in finding and fixing
that code, and those are the tools I'm looking for.

I am BCCing secprog, vuln-dev, webappsec, and SC-L which
I forgot to do last time to prevent duplicate postings.

Have a great weekend and thanks for all the follow-up so far,

-ae

-----Original Message-----
From: Evans, Arian 
Sent: Friday, March 11, 2005 5:36 PM
To: secprog () securityfocus com; webappsec () securityfocus com;
SC-L () securecoding org; vuln-dev () securityfocus com

If you are a vendor of a software security tool, fault injection,
binary analysis, source code analysis, blah-foo, etc., please
contact me if we haven't spoken already.

I am finalizing a comprehensive list and doing a final check
to make sure I've accounted for all the software security
tool vendors.

nota bene; I'm excluding appsec firewalls & NIDS (web, db, etc.)
as part of the access control pool which may become a later review
project but is not part of "software security tools".

Thanks,

Arian Evans
Sr. Security Engineer
FishNet Security

Phone:  816.421.6611
Toll Free:  888.732.9406
Fax:  816.421.6677

http://www.fishnetsecurity.com

Current thread:

Clarification to: -->calling all software security tool vendors/freeware/open source project leads Evans, Arian (Mar 13)