Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Clarification to: -->calling all software security tool vendors/freeware/open source project leads

Clarification to: -->calling all software security tool vendors/freeware/open source project leads

From: Evans, Arian <Arian.Evans_at_fishnetsecurity.com>
Date: Sat, 12 Mar 2005 19:44:00 -0600

On Friday my admittedly small mind produced the email included below,
which has resulted in a lot of well-meaning replies not in the area I
am looking for. The problem is that I declined to provide a translation
key for my ambiguous terminology.

"Software Security Tools" = "Software tools to test or fix applications
at the source code, binary, or UI level".

Examples of fault-injection tools at interface level are:
SPIKE, WebInspect, NTOSpider, etc.

Examples at the binary level are:
IDA Pro, @stake's disappearing analyzers, Fortify, possibly others
that I am missing.

Examples at the source level are: Secure Software, Compuware, Coverity,
and any number of static signature matchers (like RATS).

I'm also including sandboxing tools, like Holodeck and how to use
sysinternals tools for sandboxing.

I am not including traditional network Vuln Scanners.

I am also not covering access controls like webappsec Firewalls
or IDS, stack-protectors, anti-virus, HIDS, HIPS, HOAX, etc.
All these are essentially access controls to prevent access to
fundamentally broken code. I'm interesting in finding and fixing
that code, and those are the tools I'm looking for.

I am BCCing secprog, vuln-dev, webappsec, and SC-L which
I forgot to do last time to prevent duplicate postings.

Have a great weekend and thanks for all the follow-up so far,

-ae

> -----Original Message-----
> From: Evans, Arian
> Sent: Friday, March 11, 2005 5:36 PM
> To: secprog_at_securityfocus.com; webappsec_at_securityfocus.com;
> SC-L_at_securecoding.org; vuln-dev_at_securityfocus.com
>
> If you are a vendor of a software security tool, fault injection,
> binary analysis, source code analysis, blah-foo, etc., please
> contact me if we haven't spoken already.
>
> I am finalizing a comprehensive list and doing a final check
> to make sure I've accounted for all the software security
> tool vendors.
>
> nota bene; I'm excluding appsec firewalls & NIDS (web, db, etc.)
> as part of the access control pool which may become a later review
> project but is not part of "software security tools".
>
> Thanks,
>
> Arian Evans
> Sr. Security Engineer
> FishNet Security
>
> Phone: 816.421.6611
> Toll Free: 888.732.9406
> Fax: 816.421.6677
>
> http://www.fishnetsecurity.com
>
>
Received on Mar 15 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos