Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Fortify Source Code Auditing Suite and the like

from [Dhruv Soi] Network Security [Permanent Link]
Subject: Re: Fortify Source Code Auditing Suite and the like
Date: Fri, 17 Feb 2006 22:24:32 -0800 (PST) 
I won't talk much about false positives coz thats
pretty obvious while using any automated scanning
tool. 

For SCR/SCA I tried few of the tools like Fortify and
PMD....Output from PMD was something related to good
programming practices, repeatition of code etc. and
didn't give any output related to security...

In my personal opinion Fortify is the best tool I
could explore so far. For Java applications, alongwith
Java files it also scans JSP files, XML files, struts
config etc to provide satisfactory output. But I use
to verify every output from Fortify by going to the
lines of the code that has been pointed in output and
no doubt many of the points use to be false positives.

But automated tools have limited scope so you can't
escape manual code review. Its a good practice to run
an automated tool to start with a fresh SCR. But after
doing 4-5 code reviews you might feel that you can do
a better review than tools.

I would like to know if someone could suggest better
tool than fortify.

-D

--- spammailme@gmail.com wrote:


All -

I am looking for feedback as to the 'real world' use
of Fortify SCA tool. It states it performs automated
'white box' code reviews and from a demo it does the
job pretty pretty quick. The company states it
detects security vulns (yet it seems alot are
quality findings). 

Q: Can anyone provide positive or negagtive
expirences using this tool or like tool for JAVA
based apps.

Q: Can any of you provide rollout
suggestions/strategies that worked for you?

Thanks,

SomePlaceInCanada-ehhh



-------------------------------------------------------------------------

This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application
Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks
with real-world 
examples of recent hacking methods such as: SQL
Injection, Cross Site 
Scripting and Parameter Manipulation



https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl



--------------------------------------------------------------------------






__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: HttpOnly and J2EE containers, Jeff Williams
Next by Date:  RE: (OWASP Web App Tool Project) Tools comparison and evaluation question (AppScan), arian.evans
Previous by Thread:  Fortify Source Code Auditing Suite and the like, spammailme
Next by Thread:  New OWAP Florida Chapter!, owaspflorida
Indexes:  [Date] [Thread] [Top] [All Lists]