the big question is... why would people want to drop everything
and run... like puppies... just to participate in what seems
to be somebody's commercial project.

-----Original Message-----
From: Evans, Arian [mailto:***@fishnetsecurity.com]
Sent: Friday, March 11, 2005 6:36 PM
To: ***@securityfocus.com; ***@securityfocus.com;
SC-***@securecoding.org; vuln-***@securityfocus.com
Subject: calling all software security tool vendors/freeware/open source
project leads


If you are a vendor of a software security tool, fault injection,
binary analysis, source code analysis, blah-foo, etc., please
contact me if we haven't spoken already.

I am finalizing a comprehensive list and doing a final check
to make sure I've accounted for all the software security
tool vendors.

nota bene; I'm excluding appsec firewalls & NIDS (web, db, etc.)
as part of the access control pool which may become a later review
project but is not part of "software security tools".

Thanks,

Arian Evans
Sr. Security Engineer
FishNet Security

Phone: 816.421.6611
Toll Free: 888.732.9406
Fax: 816.421.6677

http://www.fishnetsecurity.com

Kyle, the big answer is: [comments inline]
1. _The_reason_: I am going to provide and maintain a list of tools
related to finding and fixing flaws in application security (code).
I am going to cover the who, what when, where, features, etc.

This list will be maintained on www.owasp.org. It will be comparable
to the SANS tool list (not linked because it's worthless) or Talisker's
tool list (http://www.networkintrusion.co.uk/). It will be more
focused and hence (hopefully) more detailed/useful.

I would think a vendor would want to be listed. To ensure they are
listed they should contact me. The way you phrased your response makes
you sound as paranoid of people with agendas as I am. ;)

2. This project is not vendor driven. It is a personal project,
started on my own time and largely done on my own time. I will
host it using someone else's bandwidth where possible.

If necessary I would host this on my personal website; luckily,
organizations like OWASP have expressed interest in this.

3. No one needs to drop anything including puppies to participate.

In fact, I am very much not a fan of puppy dropping.

I am BCC'ing secprog, vuln-dev, SC-L, and webappsec again to
avoid needless cross-pollination.


-ae

My flawfinder home home at http://www.dwheeler.com/flawfinder
links to a number of tools & papers for static source code
analysis to find security flaws.

Until Arian Evans' master list is available at OWASP,
if you're looking for information that might be a
good place to start. (Arian Evans is already aware of this.)

Arian: I suggest that you list not just the tools
themselves, but also (some) papers about the tools.
Many of the people looking at the tools will want to
read reviews of the general technology & of specific tools.
You won't be able to list all papers, but a starting
point for people would be very helpful.

--- David A. Wheeler