WebApp Sec mailing list archives

Re: Fortify Source Code Auditing Suite and the like


From: Dhruv Soi <dhruv_ymca () yahoo com>
Date: Fri, 17 Feb 2006 22:24:32 -0800 (PST)

I won't talk much about false positives coz thats
pretty obvious while using any automated scanning
tool. 

For SCR/SCA I tried few of the tools like Fortify and
PMD....Output from PMD was something related to good
programming practices, repeatition of code etc. and
didn't give any output related to security...

In my personal opinion Fortify is the best tool I
could explore so far. For Java applications, alongwith
Java files it also scans JSP files, XML files, struts
config etc to provide satisfactory output. But I use
to verify every output from Fortify by going to the
lines of the code that has been pointed in output and
no doubt many of the points use to be false positives.

But automated tools have limited scope so you can't
escape manual code review. Its a good practice to run
an automated tool to start with a fresh SCR. But after
doing 4-5 code reviews you might feel that you can do
a better review than tools.

I would like to know if someone could suggest better
tool than fortify.

-D

--- spammailme () gmail com wrote:

All -

I am looking for feedback as to the 'real world' use
of Fortify SCA tool. It states it performs automated
'white box' code reviews and from a demo it does the
job pretty pretty quick. The company states it
detects security vulns (yet it seems alot are
quality findings). 

Q: Can anyone provide positive or negagtive
expirences using this tool or like tool for JAVA
based apps.

Q: Can any of you provide rollout
suggestions/strategies that worked for you?

Thanks,

SomePlaceInCanada-ehhh


-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application
Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks
with real-world 
examples of recent hacking methods such as: SQL
Injection, Cross Site 
Scripting and Parameter Manipulation


https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl

--------------------------------------------------------------------------




__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------


Current thread: