WebApp Sec mailing list archives
Re: Fortify Source Code Auditing Suite and the like
From: Dhruv Soi <dhruv_ymca () yahoo com>
Date: Fri, 17 Feb 2006 22:24:32 -0800 (PST)
I won't talk much about false positives coz thats pretty obvious while using any automated scanning tool. For SCR/SCA I tried few of the tools like Fortify and PMD....Output from PMD was something related to good programming practices, repeatition of code etc. and didn't give any output related to security... In my personal opinion Fortify is the best tool I could explore so far. For Java applications, alongwith Java files it also scans JSP files, XML files, struts config etc to provide satisfactory output. But I use to verify every output from Fortify by going to the lines of the code that has been pointed in output and no doubt many of the points use to be false positives. But automated tools have limited scope so you can't escape manual code review. Its a good practice to run an automated tool to start with a fresh SCR. But after doing 4-5 code reviews you might feel that you can do a better review than tools. I would like to know if someone could suggest better tool than fortify. -D --- spammailme () gmail com wrote:
All - I am looking for feedback as to the 'real world' use of Fortify SCA tool. It states it performs automated 'white box' code reviews and from a demo it does the job pretty pretty quick. The company states it detects security vulns (yet it seems alot are quality findings). Q: Can anyone provide positive or negagtive expirences using this tool or like tool for JAVA based apps. Q: Can any of you provide rollout suggestions/strategies that worked for you? Thanks, SomePlaceInCanada-ehhh
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- Fortify Source Code Auditing Suite and the like spammailme (Feb 17)
- Re: Fortify Source Code Auditing Suite and the like Dhruv Soi (Feb 17)
