James, Response below. > I have been noodling the problem space of secure coding after > attending a wonderful class taught by Ken Van Wyk. I have been > casually checking out Fortify, Ounce Labs, etc and have a thought that > this stuff should really be part of the compiler and not a standalone > product. Understanding that folks do start companies to make up > deficiencies in what large vendors ignore, how far off base in my > thinking am I? Tom Plum (from Plum Hall, Inc.) is developing a solution called Safe/Secure C/C++ (SSCC) that might interest you (http://www.plumhall.com/sscc.html). SSCC incorporates static-analysis methods into the compiler as well adding as run-time protections schemes to eliminate buffer overflows as well as mitigate against other types of vulnerabilities. (I know that the claim seems exaggerated, but the approach seems quite sound and I have yet to identify a case that SSCC can not eliminate).
Anyway, there is more information on his web site and I have cc'd Tom on this message in case you would like to contact him directly. rCs _______________________________________________ Secure Coding mailing list (SC-L) [email protected] List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
