> if I got you and Jim correctly, the free service provided by Coverity
is almost worthless because the positive to false positive rate is
awfully bad?
> From your point of view this tool isn't worth 50 k$?
Tool being worth 50k? I don't think so. A group a trained humans can do
it much cheaper
Mark Thomas wrote:
Jim Manico wrote:
The Fortify Opensource project automatically scans the Tomcat codebase
on a regular basis.
This probably only gives you 10% security coverage at best, but it's a
free report form a $50k tool.
http://opensource.fortifysoftware.com
A great example of why
Mark,
I agree with all of your comments 100%.
If you really wanted to conduct an in-depth security analysis, the best
bet is to hire a dedicated application security company to conduct a
targeted code review.
Most automated application security tools are crap. But for the sake of
academic r
Jim Manico wrote:
The Fortify Opensource project automatically scans the Tomcat codebase
on a regular basis.
This probably only gives you 10% security coverage at best, but it's a
free report form a $50k tool.
http://opensource.fortifysoftware.com
A great example of why I have don't have m
The Fortify Opensource project automatically scans the Tomcat codebase
on a regular basis.
This probably only gives you 10% security coverage at best, but it's a
free report form a $50k tool.
http://opensource.fortifysoftware.com
Hi devs,
I've been investigating Apache Tomcat within my Bach
Michael Osipov wrote:
Mark Thomas wrote:
We do occasionally receive reports to the security team that provide
outputs from various security testing tools. In short, the output is
nearly always complete garbage. For example, on one occasion a handful
of XSS issues were reported all of which wer
Mark Thomas wrote:
Michael Osipov wrote:
Security advisories are taken up by a security team [3]. Does this team
or any other group/person take any measures to assure security with
testing tools,
with a special test plan or functional requirements?
Hello Mark,
I did not expect such a quick an
Michael Osipov wrote:
Security advisories are taken up by a security team [3]. Does this team
or any other group/person take any measures to assure security with
testing tools,
with a special test plan or functional requirements?
We do occasionally receive reports to the security team that prov
Hi devs,
I've been investigating Apache Tomcat within my Bachelor's thesis
"Application
of security test tools in open source" at the Free University of Berlin
(FU Berlin) [1].
Basically, I am looking for security measures which have been taken to
prevent security leaks/vulnerabilities especially
