> if I got you and Jim correctly, the free service provided by Coverity
is almost worthless because the positive to false positive rate is
awfully bad?
> From your point of view this tool isn't worth 50 k$?
Tool being worth 50k? I don't think so. A group a trained humans can do
it much cheaper
Mark Thomas wrote:
Jim Manico wrote:
The Fortify Opensource project automatically scans the Tomcat codebase
on a regular basis.
This probably only gives you 10% security coverage at best, but it's a
free report form a $50k tool.
http://opensource.fortifysoftware.com
A great example of why
Mark,
I agree with all of your comments 100%.
If you really wanted to conduct an in-depth security analysis, the best
bet is to hire a dedicated application security company to conduct a
targeted code review.
Most automated application security tools are crap. But for the sake of
academic r
Jim Manico wrote:
The Fortify Opensource project automatically scans the Tomcat codebase
on a regular basis.
This probably only gives you 10% security coverage at best, but it's a
free report form a $50k tool.
http://opensource.fortifysoftware.com
A great example of why I have don't have m
The Fortify Opensource project automatically scans the Tomcat codebase
on a regular basis.
This probably only gives you 10% security coverage at best, but it's a
free report form a $50k tool.
http://opensource.fortifysoftware.com
Hi devs,
I've been investigating Apache Tomcat within my Bach
Michael Osipov wrote:
Mark Thomas wrote:
We do occasionally receive reports to the security team that provide
outputs from various security testing tools. In short, the output is
nearly always complete garbage. For example, on one occasion a handful
of XSS issues were reported all of which wer
Mark Thomas wrote:
Michael Osipov wrote:
Security advisories are taken up by a security team [3]. Does this team
or any other group/person take any measures to assure security with
testing tools,
with a special test plan or functional requirements?
Hello Mark,
I did not expect such a quick an
Michael Osipov wrote:
Security advisories are taken up by a security team [3]. Does this team
or any other group/person take any measures to assure security with
testing tools,
with a special test plan or functional requirements?
We do occasionally receive reports to the security team that prov
