On Friday my admittedly small mind produced the email included below, which has resulted in a lot of well-meaning replies not in the area I am looking for. The problem is that I declined to provide a translation key for my ambiguous terminology.
"Software Security Tools" = "Software tools to test or fix applications at the source code, binary, or UI level". Examples of fault-injection tools at interface level are: SPIKE, WebInspect, NTOSpider, etc. Examples at the binary level are: IDA Pro, @stake's disappearing analyzers, Fortify, possibly others that I am missing. Examples at the source level are: Secure Software, Compuware, Coverity, and any number of static signature matchers (like RATS). I'm also including sandboxing tools, like Holodeck and how to use sysinternals tools for sandboxing. I am not including traditional network Vuln Scanners. I am also not covering access controls like webappsec Firewalls or IDS, stack-protectors, anti-virus, HIDS, HIPS, HOAX, etc. All these are essentially access controls to prevent access to fundamentally broken code. I'm interesting in finding and fixing that code, and those are the tools I'm looking for. I am BCCing secprog, vuln-dev, webappsec, and SC-L which I forgot to do last time to prevent duplicate postings. Have a great weekend and thanks for all the follow-up so far, -ae > -----Original Message----- > From: Evans, Arian > Sent: Friday, March 11, 2005 5:36 PM > To: [email protected]; [EMAIL PROTECTED]; > [email protected]; [EMAIL PROTECTED] > > If you are a vendor of a software security tool, fault injection, > binary analysis, source code analysis, blah-foo, etc., please > contact me if we haven't spoken already. > > I am finalizing a comprehensive list and doing a final check > to make sure I've accounted for all the software security > tool vendors. > > nota bene; I'm excluding appsec firewalls & NIDS (web, db, etc.) > as part of the access control pool which may become a later review > project but is not part of "software security tools". > > Thanks, > > Arian Evans > Sr. Security Engineer > FishNet Security > > Phone: 816.421.6611 > Toll Free: 888.732.9406 > Fax: 816.421.6677 > > http://www.fishnetsecurity.com > >
