Hello List.
Recently we started getting exposed to security vuln like buffer
overflows in our code and scrambled to fix them. However, now we want
to proactively look into such issues before/during the releases.
We started investigating the tools of some vendors like Ounce
Labs, Klocwork, Fortify , Parasoft and Secure software. We need these
tools for automated builds, security vuln scanning, etc..
I have seen some threads in the past on these lists about such
queries but would like a detailed comments from the end users of such
tools on
- how are these tools in terms of capabilities ? strengths, limitations...
- language support (C, C++, Java) , platform support (Windows,
Unix, linux)
Any other vendors who have such tools (note : not interested in
vendors providing such services) ?
At same time, we are also interested in improving the development
process(SDLC) and trying to identify the possible improvements. Does
anyone know of such books or give pointers on what things can be
considered here.
Thanks in advance,
Source auditor
Received on Mar 01 2005
Intro
