hi sc-l, It's a busy week for announcements of some things that have been brewing at Cigital for a while. The first and most relevant to sc-l is a set of Fortify rules that we released today. We've been building and using custom rules for many of the code scanning tools for a while now, and we're psyched to share a bunch of the non-proprietary ones with the community via open source.
You can get the Cigital Java Security Rulepack 1.0 here: http://www.cigital.com/securitypack/ Briefly, the rules enhance Fortify's coverage of Java and include specialized rules about J2EE, Struts, Java Crypto, and some other things. You can actually look at the rules (and tweak them if you want). We've found that custom rules significantly enhance uptake of static analysis tools in large dev shops, especially when rules are customized for the shop itself. My latest informIT column is about getting past the bug parade and focusing some attention on flaws. Custom rules help by moving up the bug hierarchy towards flaws (but can't replace practices like threat modeling and Architectural Risk Analysis). You can read all about that here: http://www.informit.com/articles/article.aspx?p=1248057 Finally, Microsoft announced their new SDL Pro Network of nine companies prepared to roll out the SDL more widely. As the largest provider of software security services on this tiny planet, we're happy to be involved in that. For more on that, see Justice League: http://www.cigital.com/justiceleague/2008/09/16/strengthening-software-security-through-collaboration/ As always, we're interested in your feedback. Like the rules? Think hawking the SDL is good? Care about flaws as much as the bugs everyone is always going on about?? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________