> if I got you and Jim correctly, the free service provided by Coverity
is almost worthless because the positive to false positive rate is
awfully bad?
> From your point of view this tool isn't worth 50 k$?
Tool being worth 50k? I don't think so. A group a trained humans can do
it much cheaper with 90% or more coverage with less false positives.
But I am biased , this is what I do for a living.
I think the only situation where one would use Fortify/Coverity is when
I have too many apps to manually review, and I really don't care about
complete appSec coverage (like I just need to pass an audit and I don't
really care about security)
- Jim
Mark Thomas wrote:
Jim Manico wrote:
The Fortify Opensource project automatically scans the Tomcat
codebase on a regular basis.
This probably only gives you 10% security coverage at best, but it's
a free report form a $50k tool.
http://opensource.fortifysoftware.com
A great example of why I have don't have much faith (hope for the
future yes - faith for the current crop no) in these tools. In summary:
- they are looking at 4.1.10, 5.5.20 and 6.?
- I don't know which TC6 version they analysed (but I suspect it is
quite old) since they never responded to my requests to add me to
that project and I lost interest
- there are so many false positives I got fed up looking at them
- the bug reporting is way to clunky compared to just using Eclipse
or any other decent IDE
- it missed most (all if I recall correctly - I don't have the time
or inclination to check) of the XSS issues we know were in 4.1.10
onwards
Mark,
if I got you and Jim correctly, the free service provided by Coverity
is almost worthless because the positive to false positive rate is
awefully bad?
From your point of view this tool isn't worth 50 k$?
I thought the tools are directly given to the projects. If they do not
tell you what they have scanned, it's pretty superfluous to me.
Thanks
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
