Tuesday, October 23, 2007
The Case of Insecure Security Software...
Have you ever noticed how bloggers such as Pat Patterson, Jaime Cardoso, Eric Norlin, Nishant Kaushik, Bex Huff, Craig Randall and others talk about security software but yet avoid how their own software may be insecure...
I wonder what would happen if you were to gain access to the source code for the products they evangelize and were to run them through a static analysis tool that seeks out insecurity, what would they find? Wouldn't you as a customer want to know that these vendors aren't gassing their own heads up and are using independent objective tools such as Ounce Labs, Fortify, Klocwork or Coverity to review their own code bases?
What would happen if the likes of Dan Blum, Nick Selby, Bob Blakely and Gerry Gebel where to start asking security vendors whether they use secure coding practices would we be in a better spot as customers. Don't worry vendors, the industry analysts won't print information that will truly help us customers make informed security decisions...
| | View blog reactionsI wonder what would happen if you were to gain access to the source code for the products they evangelize and were to run them through a static analysis tool that seeks out insecurity, what would they find? Wouldn't you as a customer want to know that these vendors aren't gassing their own heads up and are using independent objective tools such as Ounce Labs, Fortify, Klocwork or Coverity to review their own code bases?
What would happen if the likes of Dan Blum, Nick Selby, Bob Blakely and Gerry Gebel where to start asking security vendors whether they use secure coding practices would we be in a better spot as customers. Don't worry vendors, the industry analysts won't print information that will truly help us customers make informed security decisions...