Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Clarification to: -->calling all software security tool vendors/freeware

from [Evans, Arian] Network Security [Permanent Link]
Subject: Clarification to: -->calling all software security tool vendors/freeware/open source project leads
Date: Sat, 12 Mar 2005 19:44:00 -0600 
On Friday my admittedly small mind produced the email included below,
which has resulted in a lot of well-meaning replies not in the area I
am looking for. The problem is that I declined to provide a translation
key for my ambiguous terminology.

"Software Security Tools" = "Software tools to test or fix applications
at the source code, binary, or UI level".

Examples of fault-injection tools at interface level are:
SPIKE, WebInspect, NTOSpider, etc.

Examples at the binary level are:
IDA Pro, @stake's disappearing analyzers, Fortify, possibly others
that I am missing.

Examples at the source level are: Secure Software, Compuware, Coverity,
and any number of static signature matchers (like RATS).

I'm also including sandboxing tools, like Holodeck and how to use
sysinternals tools for sandboxing.

I am not including traditional network Vuln Scanners.

I am also not covering access controls like webappsec Firewalls
or IDS, stack-protectors, anti-virus, HIDS, HIPS, HOAX, etc.
All these are essentially access controls to prevent access to
fundamentally broken code. I'm interesting in finding and fixing
that code, and those are the tools I'm looking for.

I am BCCing secprog, vuln-dev, webappsec, and SC-L which
I forgot to do last time to prevent duplicate postings.

Have a great weekend and thanks for all the follow-up so far,

-ae


-----Original Message-----
From: Evans, Arian 
Sent: Friday, March 11, 2005 5:36 PM
To: secprog@securityfocus.com; webappsec@securityfocus.com;
SC-L@securecoding.org; vuln-dev@securityfocus.com

If you are a vendor of a software security tool, fault injection,
binary analysis, source code analysis, blah-foo, etc., please
contact me if we haven't spoken already.

I am finalizing a comprehensive list and doing a final check
to make sure I've accounted for all the software security
tool vendors.

nota bene; I'm excluding appsec firewalls & NIDS (web, db, etc.)
as part of the access control pool which may become a later review
project but is not part of "software security tools".

Thanks,

Arian Evans
Sr. Security Engineer
FishNet Security

Phone:  816.421.6611
Toll Free:  888.732.9406
Fax:  816.421.6677

http://www.fishnetsecurity.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Clarification to: -->calling all software security tool vendors/freeware/open source project leads, Evans, Arian <=
Previous by Date:  RE: Web Scanners & Acunetix, Evans, Arian
Next by Date:  SQL Injection problem, Asim Shaikh
Previous by Thread:  RE: Web Scanners & Acunetix, Evans, Arian
Next by Thread:  SQL Injection problem, Asim Shaikh
Indexes:  [Date] [Thread] [Top] [All Lists]