Note to self: Always trust "white papers" that say things like "This
is not a sales-pitch."
Maty, could you cite examples "many" vendors you're talking about?
Otherwise this has little value and cannot be vetted.
Regarding your "Non Linking Code" example, there's a reason we want
the libraries so we can accurately compile the code - with the code
sample given, external libs could be filtering either user input or
the sql statements.
I'm writing this as somebody who has used several major SCA tools - a
quick glance of your company's site looks interesting, but right now I
feel like I'm being marketed to.
John
On Oct 29, 2009, at 8:34 AM, Maty Siman wrote:
> Source Code Analysis has become the de facto choice to introduce
> secure
> development as well as gauge inherent software risk.
> The irony is that source code analysis doesn?t often look at the
> source at
> all. In fact, the majority of the products are using Binary analysis
> or
> byte-code analysis (BCA) created by the compiler. This method saves
> a great
> deal of effort when developing the analysis tools, but lowers
> drastically
> the usability and accuracy of the results.
>
> This technical paper ? with detailed code examples ? from Checkmarx
> research
> labs, fills this gap and explains how developers, auditors and cloud
> platform providers benefit from the inherent advantages of true
> source code
> analysis tool.
>
> http://www.checkmarx.com/NewsDetails.aspx?id=27&cat=3
>
>
> Maty Siman, CISSP
> Founder, CTO
> Checkmarx Ltd.
> www.checkmarx.com
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification
> Review Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs
> require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
is not a sales-pitch."
Maty, could you cite examples "many" vendors you're talking about?
Otherwise this has little value and cannot be vetted.
Regarding your "Non Linking Code" example, there's a reason we want
the libraries so we can accurately compile the code - with the code
sample given, external libs could be filtering either user input or
the sql statements.
I'm writing this as somebody who has used several major SCA tools - a
quick glance of your company's site looks interesting, but right now I
feel like I'm being marketed to.
John
On Oct 29, 2009, at 8:34 AM, Maty Siman wrote:
> Source Code Analysis has become the de facto choice to introduce
> secure
> development as well as gauge inherent software risk.
> The irony is that source code analysis doesn?t often look at the
> source at
> all. In fact, the majority of the products are using Binary analysis
> or
> byte-code analysis (BCA) created by the compiler. This method saves
> a great
> deal of effort when developing the analysis tools, but lowers
> drastically
> the usability and accuracy of the results.
>
> This technical paper ? with detailed code examples ? from Checkmarx
> research
> labs, fills this gap and explains how developers, auditors and cloud
> platform providers benefit from the inherent advantages of true
> source code
> analysis tool.
>
> http://www.checkmarx.com/NewsDetails.aspx?id=27&cat=3
>
>
> Maty Siman, CISSP
> Founder, CTO
> Checkmarx Ltd.
> www.checkmarx.com
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification
> Review Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs
> require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]