ements. Has anyone here
ran
across contract clauses that assist in this regard?
-Original Message-
From: Gunnar Peterson [mailto:[EMAIL PROTECTED]
Sent: Friday, June 09, 2006 8:48 AM
To: Brian Chess; Secure Mailing List; McGovern, James F (HTSC, IT)
Subject: Re: [SC-L] RE: Comparing Sc
Crispin Cowan wrote:
I would like to introduce you to my new kick-ass scanning tool. You run
it over your source code, and it only produces a single false-positive
for you to check out. That false positive just happens to be the
complete source code listing for your entire program :)
If you ca
Crispin Cowan wrote:
David A. Wheeler wrote:
Brian Chess (brian at fortifysoftware dot com) said:
False positives:
Nobody likes dealing with a pile of false positives, and we work hard to
reduce false positives without giving up potentially exploitable
vulnerabilities.
I think everyone ag
Gary McGraw wrote:
Hi all (especially david),
The story you repeated about ITS4 finding a vulnerability
> "that can't happen" is wrong.
The tool FIST (a fault injection tool for security) which we decribed
> in an Oakland paper from 1998 was what you were thinking of.
> (FIST was also produc
I've been pushing contractual requirements for ISVs at work (academic medical
center with a $1B+ revenue hospital), particularly in the lengthy negotiations
last winter with our new clinical information system vendor (the software
license alone will cost us about $100M).
In a nutshell:
- "W
s are on the
beach.
gem
www.cigital.com
www.swsec.com
-Original Message-
From: David A. Wheeler [mailto:[EMAIL PROTECTED]
Sent: Mon Jun 12 19:33:52 2006
To: sc-l@securecoding.org
Subject: [SC-L] Re: Comparing Scanning Tools (false positives)
I'd like to follow up on Br
David A. Wheeler wrote:
> Brian Chess (brian at fortifysoftware dot com) said:
>> False positives:
>> Nobody likes dealing with a pile of false positives, and we work hard to
>> reduce false positives without giving up potentially exploitable
>> vulnerabilities.
> I think everyone agrees that there
I'd like to follow up on Brian Chess' comments...
Brian Chess (brian at fortifysoftware dot com) said:
False positives:
Nobody likes dealing with a pile of false positives, and we work hard to
reduce false positives without giving up potentially exploitable
vulnerabilities.
I think everyone a
At 2:32 PM -0400 6/9/06, Jeremy Epstein wrote:
> Having said that, it's completely at odds compared to what I see working
>for an ISV of a non-security product. That is, I almost never have
>prospects/customers ask me what we do to assure our software.
I don't even get those questions for our se
Title: Re: [SC-L] RE: Comparing Scanning Tools
At the RSA Conference in February, I went to a reception
hosted by a group called "Secure Software Forum" (not to be confused with
the company Secure Software Inc, which offers a product competitive to
Fortify). They had a panel ses
Title: Re: [SC-L] RE: Comparing Scanning Tools
The OWASP Legal project took a crack at
this: http://www.owasp.org/index.php/Category:OWASP_Legal_Project
This project developed a strawman Secure
Software Development Contract annex which is available at: http://www.owasp.org/index.php
Title: Re: [SC-L] RE: Comparing Scanning Tools
I
think I should have been more specific in my first post. I should have phrased
it as I have yet to find a large enterprise whose primary business isn't
software or technology that has made a significant investment in such
tools.
Likewi
Title: Re: [SC-L] RE: Comparing Scanning Tools
Right, because their customers (are starting to) demand more secure code from their technology. In the enterprise space the financial, insurance, healthcare companies who routinely lose their customer’s data and provide their customers with
Title: RE: Comparing Scanning Tools
McGovern, James F wrote:
> I have yet to find a large enterprise that has made a significant investment in such tools.
I’ll give you pointers to two. They’re two of the three largest software companies in the world.
http://news.com.com/2100-1002_3-5220488
Hi Jerry, as one of the creators of the tool you evaluated, I have to admit
I have the urge to comment on your message one line at a time and explain
each way in which the presentation you attended did not adequately explain
what Fortify does or how we do it. But I don't think the rest of the peop
15 matches
Mail list logo
