Re. Whitehat: yes they have boxes, no they aren't required, yes they have people. I'm sure they'll expand when they return from Vegas.
Re. Ounce: there's seriously no way to tell which way it will go. Some companies do really well at acquiring smaller companies and making them flourish, while other companies quite simply don't (or worse). I've seen web/sca "integrations" in the past (and present) and they're usually very cosmetic, like report munging or one tool calling the other to kick it off automatically. Knowing your SaaS has additional capabilities is good (although whether they're "integrated" capabilities or not seems irrelevant). It seems completely unimportant from an SDL or pen-test/expert group perspective. Frankly I would hope that the PM priority would be integration into the dev environments first and foremost: into RAD (if not so already), Req Pro, and the various other support systems dev teams use. >> simpler model Ounce was taking recently. (Though was that sustainable?) It clearly didn't have to be sustainable and certainly one can suspect it was never intended to be either. One thing for ISV's is sure however: the cost of buying your way into the dev space just went up. -----Original Message----- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Brad Andrews Sent: Tuesday, July 28, 2009 5:03 PM To: sc-l@securecoding.org Subject: [SC-L] Integrated Dynamic and Static Scanning Partnering is not the same thing as having a single owner for both tools. I also believe WhiteHat is "hire them and they do it" model, though they do put hardware in your enterprise. IIRC, you could not do all the work yourself if you had whatever components they provided. I don't think AppScan and the Ounce programs will be integrated to this extent soon, but it would be much easier, since they are both in the same company. That level of integration is highly unlikely without the "common owner" this deal provides. The end result may or may not be better, especially if they take the IBM trend of charging more rather that the simpler model Ounce was taking recently. (Though was that sustainable?) I would be interested in hearing how the Fortify/WhiteHat integration worked. -- Brad Andrews RBA Communications CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI > Fortify (www.fortify.com) has Partnered with WhiteHat Security > (www.whitehatsec.com) too _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________