Re: @stake SafeApps

["Matt Hargett" <matt () use net>]

> is there anyone on this list that has more than just the marketing
> goop on @stake SafeApps ? What I have so far is from MS's slides (wow,
> who would've guessed the special relationship between MS and @s ;)
>
> > From MS/@s advertisement:
> Secure Code Assurance (SCA) engine
> Replaces a manual security code review. @stake expert code reviewer in a
box.
> Detects the programming errors that lead to security vulnerabilities.
Assists in remediating the errors.
> Detects programming errors that lead to viruses and worms
> Prioritizes risk of each error from severe error to warning. Optimizes
programmer’s time.
> Guides the programmer to fix the source of error. Most programmers don’t
know how to fix security errors.
> Target user
> Developer, QA Engineer, Security Engineer
> Development teams that use SafeApps can drastically reduce the number of
vulnerabilities in their software.
> ----
> @stake’s world class application experience in a box
> Expert code reviewers on our development team
> Extensible scripted architecture
> Can update with new script packages that detect newly found classes of
problems
> Can build script packs tailored to particular customer environments
> Detects vulnerabilities as early as possible for maximum security ROI.
> Analysis performed on program binaries instead of the source code
> Deepest security analysis possible
> Uses the context of the entire program
> Evaluates interaction with OS and other binary components
> Risk Analysis Reporting
> Summarizes overall program risk.  Can be rolled up for an entire
enterprise
> Prioritizes errors by risk. Programmers can fix highest risk problems
first.
> -----
> SafeApps modeling engine builds control flow and data flow graphs of the
program. Range of data is propagated.
> Scripts analyze the graphs for coding flaws
> Language and standard library issues
> Buffer overruns (off by ones, size mismatches), format string
vulnerabilities, integer overflows (type conversions), race conditions,
error return checking
> Platform API
> Privilege escalation, cryptography usage, database usage, network usage
> High level issues
> Backdoors, denial of service, HTTP, input validation
>
> Anything else besides "builds controlf flow and data flow graphs" ?
> :-)
> Anyone from @s on this list who wants to tell us about the real deal ?

This is an interesting development. The last I heard, UDS was being scaled
back as a product and only doing source code analysis. This would coincide
with what I heard from another former @stake person who said "I have zero
confidence that UDS will ever reach the market in its' current form."

I think this is cool, though. More competition in this space will mean that
the tools will just get better faster and in turn software will be made more
secure faster. (I am such a QA nerd.)

Does anyone know if some of these compiler features mentioned on the list
have been submitted for GCC 3.4?

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave