Home page logo

pen-test logo Penetration Testing mailing list archives

Re: True Source Code Analysis for Security
From: Jason Ross <algorythm () gmail com>
Date: Wed, 4 Nov 2009 16:29:54 -0500

On Mon, Nov 2, 2009 at 8:36 PM, John Kinsella <jlk () thrashyour com> wrote:
I'm writing this as somebody who has used several major SCA tools - a quick
glance of your company's site looks interesting, but right now I feel like
I'm being marketed to.

Agreed, it feels "slimy". That was my first reaction to this thread as well.
But then I tried to identify what exactly it was that cause me to feel that way.

   * The white paper itself doesn't try to market their product that I
could see.
   * The web site it's available from doesn't require an email address or any
      other form of information before allowing you to download the document.
   * The original post does not attempt to specifically peddle any product.

I don't think there's anything wrong with a company putting out a technical
white paper that describes an issue as long as they aren't using it to
tout their
specific product. (that's what the marketing white papers are for IMO).

I also don't think there's anything wrong with that company sending an email to
a relevant list stating that they have such a paper available,
particularly if there's
no information required to obtain it (which always turns me off as a
marketing ploy
to build 'potential customer' databases).

So, I was left to conclude that really, the only reason I felt this
was marketing was
because the original message came from the founder of the company that presented
the paper and not some tech grunt within it.

For me, that was unfair, and is why I posted my original message about this.

That aside, as I mentioned in my post, and as you also pointed out in
yours, I'm not
sure that all of the arguments given in the doc are well founded.


This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]