Noodling the value proposition of static analysis and wonder if vendors in this space are doing the right thing. For example, Gary McGraw was one of the first to point out insecure APIs within Java such as readLine not having a parameter to indicate max read. Is there merit in vendors figuring out how to perform same function within commercial products? For example, there are insecure APIs in IBM MQ/Series, Struts, Spring, etc.
Is there merit in collecting this type of information as a new OWASP project? ************************************************************ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
