Evans, Arian
2005-03-13 01:44:00 UTC
On Friday my admittedly small mind produced the email included below,
which has resulted in a lot of well-meaning replies not in the area I
am looking for. The problem is that I declined to provide a translation
key for my ambiguous terminology.
"Software Security Tools" = "Software tools to test or fix applications
at the source code, binary, or UI level".
Examples of fault-injection tools at interface level are:
SPIKE, WebInspect, NTOSpider, etc.
Examples at the binary level are:
IDA Pro, @stake's disappearing analyzers, Fortify, possibly others
that I am missing.
Examples at the source level are: Secure Software, Compuware, Coverity,
and any number of static signature matchers (like RATS).
I'm also including sandboxing tools, like Holodeck and how to use
sysinternals tools for sandboxing.
I am not including traditional network Vuln Scanners.
I am also not covering access controls like webappsec Firewalls
or IDS, stack-protectors, anti-virus, HIDS, HIPS, HOAX, etc.
All these are essentially access controls to prevent access to
fundamentally broken code. I'm interesting in finding and fixing
that code, and those are the tools I'm looking for.
I am BCCing secprog, vuln-dev, webappsec, and SC-L which
I forgot to do last time to prevent duplicate postings.
Have a great weekend and thanks for all the follow-up so far,
-ae
which has resulted in a lot of well-meaning replies not in the area I
am looking for. The problem is that I declined to provide a translation
key for my ambiguous terminology.
"Software Security Tools" = "Software tools to test or fix applications
at the source code, binary, or UI level".
Examples of fault-injection tools at interface level are:
SPIKE, WebInspect, NTOSpider, etc.
Examples at the binary level are:
IDA Pro, @stake's disappearing analyzers, Fortify, possibly others
that I am missing.
Examples at the source level are: Secure Software, Compuware, Coverity,
and any number of static signature matchers (like RATS).
I'm also including sandboxing tools, like Holodeck and how to use
sysinternals tools for sandboxing.
I am not including traditional network Vuln Scanners.
I am also not covering access controls like webappsec Firewalls
or IDS, stack-protectors, anti-virus, HIDS, HIPS, HOAX, etc.
All these are essentially access controls to prevent access to
fundamentally broken code. I'm interesting in finding and fixing
that code, and those are the tools I'm looking for.
I am BCCing secprog, vuln-dev, webappsec, and SC-L which
I forgot to do last time to prevent duplicate postings.
Have a great weekend and thanks for all the follow-up so far,
-ae
-----Original Message-----
From: Evans, Arian
Sent: Friday, March 11, 2005 5:36 PM
If you are a vendor of a software security tool, fault injection,
binary analysis, source code analysis, blah-foo, etc., please
contact me if we haven't spoken already.
I am finalizing a comprehensive list and doing a final check
to make sure I've accounted for all the software security
tool vendors.
nota bene; I'm excluding appsec firewalls & NIDS (web, db, etc.)
as part of the access control pool which may become a later review
project but is not part of "software security tools".
Thanks,
Arian Evans
Sr. Security Engineer
FishNet Security
Phone: 816.421.6611
Toll Free: 888.732.9406
Fax: 816.421.6677
http://www.fishnetsecurity.com
From: Evans, Arian
Sent: Friday, March 11, 2005 5:36 PM
If you are a vendor of a software security tool, fault injection,
binary analysis, source code analysis, blah-foo, etc., please
contact me if we haven't spoken already.
I am finalizing a comprehensive list and doing a final check
to make sure I've accounted for all the software security
tool vendors.
nota bene; I'm excluding appsec firewalls & NIDS (web, db, etc.)
as part of the access control pool which may become a later review
project but is not part of "software security tools".
Thanks,
Arian Evans
Sr. Security Engineer
FishNet Security
Phone: 816.421.6611
Toll Free: 888.732.9406
Fax: 816.421.6677
http://www.fishnetsecurity.com