Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Fortify Source Code Auditing Suite and the like

Re: Fortify Source Code Auditing Suite and the like

From: Dhruv Soi <dhruv_ymca_at_yahoo.com>
Date: Fri, 17 Feb 2006 22:24:32 -0800 (PST)

I won't talk much about false positives coz thats
pretty obvious while using any automated scanning
tool.

For SCR/SCA I tried few of the tools like Fortify and
PMD....Output from PMD was something related to good
programming practices, repeatition of code etc. and
didn't give any output related to security...

In my personal opinion Fortify is the best tool I
could explore so far. For Java applications, alongwith
Java files it also scans JSP files, XML files, struts
config etc to provide satisfactory output. But I use
to verify every output from Fortify by going to the
lines of the code that has been pointed in output and
no doubt many of the points use to be false positives.

But automated tools have limited scope so you can't
escape manual code review. Its a good practice to run
an automated tool to start with a fresh SCR. But after
doing 4-5 code reviews you might feel that you can do
a better review than tools.

I would like to know if someone could suggest better
tool than fortify.

-D

--- spammailme_at_gmail.com wrote:

> All -
>
> I am looking for feedback as to the 'real world' use
> of Fortify SCA tool. It states it performs automated
> 'white box' code reviews and from a demo it does the
> job pretty pretty quick. The company states it
> detects security vulns (yet it seems alot are
> quality findings).
>
> Q: Can anyone provide positive or negagtive
> expirences using this tool or like tool for JAVA
> based apps.
>
> Q: Can any of you provide rollout
> suggestions/strategies that worked for you?
>
> Thanks,
>
> SomePlaceInCanada-ehhh
>
>
-------------------------------------------------------------------------
> This List Sponsored by: SpiDynamics
>
> ALERT: "How A Hacker Launches A Web Application
> Attack!"
> Step-by-Step - SPI Dynamics White Paper
> Learn how to defend against Web Application Attacks
> with real-world
> examples of recent hacking methods such as: SQL
> Injection, Cross Site
> Scripting and Parameter Manipulation
>
>
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
>
--------------------------------------------------------------------------
>
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Feb 17 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]