Assurance
Threat Modeling – Vocabulary
A few posts back, we begun a series on Threat Modeling. As we begun writing the second installment in this series, it occurred to me that I’m using a lot of threat modeling vocabulary. When I speak on threat modeling I always warn my audience that ambiguity exists in some of the (even fundamental or [...]
When All You Have is a Hammer…
We’ve probably all experienced organizations that rely principally on a single assessment technique (whether it be static or dynamic, manual or tool-based). Unfortunately, this is all too common for security practices. When this topic came up recently with the question (paraphrased), “Are there numbers that demonstrate the value of a security program making use of [...]
Slapping Your Forehead Tomorrow
As usual @oneraindrop has written an interesting article on the cost of things entitled looking-backwards-from-the-future. In his post he discusses the need to consider the cost of things in terms of the opportunity lost by doing them: “Jim Rogers has a great practice on saving – when you think of buying something today, simply multiply [...]
Scrap Static Tools, just “Fix your code”?
Recently, Gary and I collaborated on an InformIT article on static analysis. you will find our observations regarding static analysis shared by others. It’s encouraging to note that Flash Sheridan observes many of the same difficulties and more formally treats them in his ISSRE ’10 publication. It’s worth a read. A few commentators shared some [...]
Increasing Static Visibility
Sometimes, people talk loosely about an important difference between static and dynamic analyzers. Static analyzers, they say, achieve 100% coverage. They may complain that dynamic tools struggle to get even double-digit statement coverage of an application under test. Dan Cornell wrote a blog post on static analysis coverage. He observed that while the static tool [...]
If it’s so hard why bother?
Recently, internal and external discussion hit on the topic of static tool comparison. The difficulty of this topic caused me to write up my thoughts as what became an InformIT article. This prompted some to respond, If selecting and adopting a tool is so hard, even for experts, why should I bother? Good question. The [...]
Gartner and Static Analysis
James McGovern recently wrote a post on Gartner’s static analysis (SA) report. Among other things, he lamented the lack of actionable guidance within the report. A lack of implementation guidance doesn’t shock me from Gartner, I can’t say I expect that from them. I can help James and community out by giving some of that [...]
Let the posturing begin…
Myself and others have been getting Webinar invites from IBM’s developerworks regarding Rational’s AppScan Developer Edition. This is of course part of the re-launch of the re-tooled AppScan product. It now includes a set of analysis types, some static and some dynamic. They’ve got fancy new names for subsets of each, some hair splitting to [...]
What Measures do Software Vendors Use for Software Assurance?
My last project for my former employer (Software AG) was a study of what software vendors do to achieve software assurance. The goal of the study was to see whether we (Software AG) were at, above, or below the norm, and to adjust investments in assurance accordingly. All but one of the vendors who participated [...]
On Open Source
There has been a recent flurry of activity regarding security assurance on a hush-hush open source mailing list I lurk on. The debate recently has to do with formal methods versus code scanning… apples and oranges in my view. However, there’s a new flurry of press over Coverity’s use of their tool to analyze well-known [...]
