Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Clarification to: -->calling all software security tool vendors/freeware/open source project leads
From: Evans, Arian (Arian.Evansfishnetsecurity.com)
Date: Sat Mar 12 2005 - 19:44:00 CST
On Friday my admittedly small mind produced the email included below,
which has resulted in a lot of well-meaning replies not in the area I
am looking for. The problem is that I declined to provide a translation
key for my ambiguous terminology.
"Software Security Tools" = "Software tools to test or fix applications
at the source code, binary, or UI level".
Examples of fault-injection tools at interface level are:
SPIKE, WebInspect, NTOSpider, etc.
Examples at the binary level are:
IDA Pro, stake's disappearing analyzers, Fortify, possibly others
that I am missing.
Examples at the source level are: Secure Software, Compuware, Coverity,
and any number of static signature matchers (like RATS).
I'm also including sandboxing tools, like Holodeck and how to use
sysinternals tools for sandboxing.
I am not including traditional network Vuln Scanners.
I am also not covering access controls like webappsec Firewalls
or IDS, stack-protectors, anti-virus, HIDS, HIPS, HOAX, etc.
All these are essentially access controls to prevent access to
fundamentally broken code. I'm interesting in finding and fixing
that code, and those are the tools I'm looking for.
I am BCCing secprog, vuln-dev, webappsec, and SC-L which
I forgot to do last time to prevent duplicate postings.
Have a great weekend and thanks for all the follow-up so far,
> -----Original Message-----
> From: Evans, Arian
> Sent: Friday, March 11, 2005 5:36 PM
> To: secprogsecurityfocus.com; webappsecsecurityfocus.com;
> SC-Lsecurecoding.org; vuln-devsecurityfocus.com
> If you are a vendor of a software security tool, fault injection,
> binary analysis, source code analysis, blah-foo, etc., please
> contact me if we haven't spoken already.
> I am finalizing a comprehensive list and doing a final check
> to make sure I've accounted for all the software security
> tool vendors.
> nota bene; I'm excluding appsec firewalls & NIDS (web, db, etc.)
> as part of the access control pool which may become a later review
> project but is not part of "software security tools".
> Arian Evans
> Sr. Security Engineer
> FishNet Security
> Phone: 816.421.6611
> Toll Free: 888.732.9406
> Fax: 816.421.6677