[WEB SECURITY] R: [WEB SECURITY] Static code analyzers

Vicari Marco Vincenzo (UGIS - UniCredit Group) MarcoVincenzo.Vicari at unicreditgroup.eu
Wed Jan 21 04:23:04 EST 2009

In my company I'm using  ONCE 6 (Once Lab) is expensive, but less than other commercial product like Fortify, it is a good tool and very user friendly, have a interesting features. We have a lot of web application and the scan step is configured to work in batch mode, after the triage step shows the vulnerability to the analyst that can verify each flaw with the source navigator included in Once. There is also the feature that permit to publish and to share the assessment.
For us is a good tool.

Marco Vincenzo Vicari
ICT Security
Infrastructure and Customer Services
Unicredit Global Information Services
Via Ugo La Malfa 50
90100 Palermo, Italia 
Tel. +39 091 608 6332
Cell. +39 335 7978086
mailto:marco.vicari at unicreditgroup.eu
Please consider the environment before printing this e-mail 
Da: Mostafa Siraj [mailto:mostafa.siraj at gmail.com] 
Inviato: giovedì 15 gennaio 2009 12.40
A: John Johnson
Cc: connectjunkie at gmail.com; websecurity at webappsec.org
Oggetto: Re: [WEB SECURITY] Static code analyzers

I'm using in my company Ounce Labs and CAT.NET, Ounce Labs is very expensive (your company has to be big in order to be able to buy it) while CAT.NET is free (at least until now). Ounce is very powerful tool according to my experience and did a great job into improving the security of our products.

On Thu, Jan 15, 2009 at 12:00 AM, John Johnson <john_johnson89 at hotmail.com> wrote:
Another key factor involved in "best" might be is what the tool will find.  The vendors is this space have introduced support for languages at different times, and have put different levels of effort into the depth with which the research the threat landscape and to what degree the markup the API in their security rules knowledgebase(s).  For example at one snapshot in time tool A may scan .Net code but find a limited number of real issues and a high number of FP's, while tool B may have gone deeper and done a better job.  Then with a different language that may be reversed.
The best way to really know if to do simple testing on sample code.

Date: Wed, 14 Jan 2009 21:33:48 +0000
From: connectjunkie at gmail.com
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Static code analyzers

Define "better".  Are you looking at usage scenario (i.e. Integrates into more Visual Studio versions, integrates into Team Studio etc), more security bugs found (will depend on people's experiences and code), runs faster, uses less memory, is cheaper/better value etc etc etc 

Also, are you looking at commercial, or freely available solutions?

On 14/01/2009 21:10, "Michael Williams" <mw7301 at hotmail.com> wrote:

I was wondering do any of you have a feel for which static code analyzer does a better job with C# source code? From my research it looks to me like some of the products seem to do better with Java than C++ or vice versa for example so I was wondering which one seemed to do C# the best. 

Windows LiveT: Keep your life in sync. Check it out.

"Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light, not our darkness, that most frightens us. We ask ourselves, who am I to be brilliant, gorgeous, talented, and fabulous?Actually, who are you not to be? You are a child of God. Your playing small doesn't serve the world. There's nothing enlightened about shrinking so that other people won't feel insecure around you. We are all meant to shine, as children do. We are born to make manifest the glory of God that is within us. It's not just in some of us, it's in everyone. And as we let our own light shine, we unconsciously give other people permission to do the same. As we are liberated from our own fear, our presence automatically liberates others." --Nelson Mandela--

This e-mail is confidential and may also contain privileged information. If you are not the intended recipient you are not authorised to read, print, save, process or disclose this message. If you have received this message by mistake, please inform the sender immediately and delete this e-mail, its attachments and any copies.
Any use, distribution, reproduction or disclosure by any person other than the intended recipient is strictly prohibited and the person responsible may incur penalties.
Thank you!

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list