You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Michael Osipov <os...@inf.fu-berlin.de> on 2008/05/01 12:02:52 UTC
Re: Assuring Security by testing
Mark Thomas wrote:
> Jim Manico wrote:
>> The Fortify Opensource project automatically scans the Tomcat codebase
>> on a regular basis.
>>
>> This probably only gives you 10% security coverage at best, but it's a
>> free report form a $50k tool.
>>
>> http://opensource.fortifysoftware.com
>
> A great example of why I have don't have much faith (hope for the future
> yes - faith for the current crop no) in these tools. In summary:
> - they are looking at 4.1.10, 5.5.20 and 6.?
> - I don't know which TC6 version they analysed (but I suspect it is
> quite old) since they never responded to my requests to add me to that
> project and I lost interest
> - there are so many false positives I got fed up looking at them
> - the bug reporting is way to clunky compared to just using Eclipse or
> any other decent IDE
> - it missed most (all if I recall correctly - I don't have the time or
> inclination to check) of the XSS issues we know were in 4.1.10 onwards
Mark,
if I got you and Jim correctly, the free service provided by Coverity is
almost worthless because the positive to false positive rate is awefully
bad?
From your point of view this tool isn't worth 50 k$?
I thought the tools are directly given to the projects. If they do not
tell you what they have scanned, it's pretty superfluous to me.
Thanks
--
<NO> OOXML - Say NO To Microsoft Office broken standard
http://www.noooxml.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Assuring Security by testing
Posted by Jim Manico <ji...@manico.net>.
> if I got you and Jim correctly, the free service provided by Coverity
is almost worthless because the positive to false positive rate is
awfully bad?
> From your point of view this tool isn't worth 50 k$?
Tool being worth 50k? I don't think so. A group a trained humans can do
it much cheaper with 90% or more coverage with less false positives.
But I am biased , this is what I do for a living.
I think the only situation where one would use Fortify/Coverity is when
I have too many apps to manually review, and I really don't care about
complete appSec coverage (like I just need to pass an audit and I don't
really care about security)
- Jim
> Mark Thomas wrote:
>> Jim Manico wrote:
>>> The Fortify Opensource project automatically scans the Tomcat
>>> codebase on a regular basis.
>>>
>>> This probably only gives you 10% security coverage at best, but it's
>>> a free report form a $50k tool.
>>>
>>> http://opensource.fortifysoftware.com
>>
>> A great example of why I have don't have much faith (hope for the
>> future yes - faith for the current crop no) in these tools. In summary:
>> - they are looking at 4.1.10, 5.5.20 and 6.?
>> - I don't know which TC6 version they analysed (but I suspect it is
>> quite old) since they never responded to my requests to add me to
>> that project and I lost interest
>> - there are so many false positives I got fed up looking at them
>> - the bug reporting is way to clunky compared to just using Eclipse
>> or any other decent IDE
>> - it missed most (all if I recall correctly - I don't have the time
>> or inclination to check) of the XSS issues we know were in 4.1.10
>> onwards
>
> Mark,
>
> if I got you and Jim correctly, the free service provided by Coverity
> is almost worthless because the positive to false positive rate is
> awefully bad?
> From your point of view this tool isn't worth 50 k$?
>
> I thought the tools are directly given to the projects. If they do not
> tell you what they have scanned, it's pretty superfluous to me.
>
> Thanks
--
Jim Manico, Senior Application Security Engineer
jim.manico@aspectsecurity.com | jim@manico.net
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org