Secure Coding mailing list archives

Perspectives on Code Scanning

From: thesp0nge at gmail.com (Paolo Perego)
Date: Sun, 10 Jun 2007 21:02:27 +0200

James, and all list please apologies for my bad english usage. Looking
at your reply I understood I espressed my thoghuts playing bad with
words.

By saying that vendors has to follow developer licensing, I intended
that in my opinion is good that vendors still build tool to aid
developers not only executives as some mail in this thread would
suggest.

I do agree that tool designed to assist developers in writing secure
code has to be free and open. I'm writing one of this tool, indeed
it's a framework to build such tools but it's not an important
different in this topic.

I think that an open source approach is the winning here not just for
saving money in buying tools but for the widespread knowledge shared
among developers and security experts writing the tool itself.

Sorry for my firmer mail that doesn't show correctly what is my opinion.

The framework for code review tool I'm writing is an owasp project,
hosted at sourceforge: http://orizon.sourceforge.net

Ciao ciao
thesp0nge


On 6/8/07, McGovern, James F (HTSC, IT) <James.McGovern at thehartford.com> wrote:

In a previous thread someone appropriately commented that perspectives in this space differ depending upon whether 
you are a software vendor, government customer or enterprise. I do not disagree that developers need to know how to 
fix their code. What I am saying is that tools to assist developers in writing better could should be free.

Your quote "*imho* vendor has to follow developer licensing" is where I think it will harm the goals of secure coding 
at large. Consider the trend within the industry that tools for software development are essentially becoming free. 
No one pays for IDEs (rare exceptions) when things like Eclipse and Visual Studio have free versions.

Enterprise folks however will pay lots of money for tools in the auditing space that help them to quantify risk. The 
ability to scan large multiple code bases is a different product/problem than scanning while writing code in an IDE. 
I am saying that more money could be had if folks focus on the first and not the later. Vendors who get it twisted by 
focusing on the number of developers are dillusional and should ask themselves why aren't but a select few of any 
enterprise pervasively deploying tools to developers.

Give away the developer tools in the same way Microsoft does and you will accelerate your potential sales from the 
bottom up. Not all sales within places are driven top down...

-----Original Message-----
From: sc-l-bounces at securecoding.org
[mailto:sc-l-bounces at securecoding.org]On Behalf Of Paolo Perego
Sent: Friday, June 08, 2007 5:40 AM
To: McGovern, James F (HTSC, IT)
Cc: Secure Coding
Subject: Re: [SC-L] Perspectives on Code Scanning

Hi there, I found this thread very interesting.
It's true that developers are the ones who remediate to code
insecurity and executives care about how much effort has to be spent
over closing branches. Indeed I think the two categories needs a tool
approaching the same problem (tell if a code follows security best
practices or not) showing results in 2 "different" languages.

Developers need how to know how to fix their code. Executives need to
know how much these fixes cost, who will attend them and in how many
time fixes will be committed.

*imho* vendor has to follow developer licensing... since developer do
knows ho to write code but he has to be helped in writing it in a
secure way.

Safe coding is a concern for both developers than executives.
My 2 euro cents

Ciao ciao
thesp0nge
--
Owasp Orizon leader
orizon.sourceforge.net
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________


*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************


_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________



-- 
Owasp Orizon leader
orizon.sourceforge.net

Current thread:

Perspectives on Code Scanning, (continued)
- - - Perspectives on Code Scanning Shea, Brian A (Jun 07)
    - Perspectives on Code Scanning der Mouse (Jun 07)
    - Perspectives on Code Scanning McGovern, James F (HTSC, IT) (Jun 13)
    - Perspectives on Code Scanning McGovern, James F (HTSC, IT) (Jun 07)
    - Perspectives on Code Scanning Gunnar Peterson (Jun 07)
    - Perspectives on Code Scanning Michael Silk (Jun 07)
  - Perspectives on Code Scanning Arian J. Evans (Jun 07)
    - Perspectives on Code Scanning McGovern, James F (HTSC, IT) (Jun 07)
  - Perspectives on Code Scanning Paolo Perego (Jun 08)
    - Perspectives on Code Scanning McGovern, James F (HTSC, IT) (Jun 08)
    - Perspectives on Code Scanning Paolo Perego (Jun 10)