tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Manico <...@manico.net>
Subject Re: Assuring Security by testing
Date Thu, 01 May 2008 13:26:49 GMT
 > if I got you and Jim correctly, the free service provided by Coverity 
is almost worthless because the positive to false positive rate is 
awfully bad?
 > From your point of view this tool isn't worth 50 k$?

Tool being worth 50k? I don't think so. A group a trained humans can do 
it much cheaper with 90% or more coverage with less false positives.

But I am biased , this is what I do for a living.

I think the only situation where one would use Fortify/Coverity is when 
I have too many apps to manually review, and I really don't care about 
complete appSec coverage (like I just need to pass an audit and I don't 
really care about security)

- Jim
> Mark Thomas wrote:
>> Jim Manico wrote:
>>> The Fortify Opensource project automatically scans the Tomcat 
>>> codebase on a regular basis.
>>>
>>> This probably only gives you 10% security coverage at best, but it's 
>>> a free report form a $50k tool.
>>>
>>> http://opensource.fortifysoftware.com
>>
>> A great example of why I have don't have much faith (hope for the 
>> future yes - faith for the current crop no) in these tools. In summary:
>> - they are looking at 4.1.10, 5.5.20 and 6.?
>> - I don't know which TC6 version they analysed (but I suspect it is 
>> quite old) since they never responded to my requests to add me to 
>> that project and I lost interest
>> - there are so many false positives I got fed up looking at them
>> - the bug reporting is way to clunky compared to just using Eclipse 
>> or any other decent IDE
>> - it missed most (all if I recall correctly - I don't have the time 
>> or inclination to check) of the XSS issues we know were in 4.1.10 
>> onwards
>
> Mark,
>
> if I got you and Jim correctly, the free service provided by Coverity 
> is almost worthless because the positive to false positive rate is 
> awefully bad?
> From your point of view this tool isn't worth 50 k$?
>
> I thought the tools are directly given to the projects. If they do not 
> tell you what they have scanned, it's pretty superfluous to me.
>
> Thanks


-- 
Jim Manico, Senior Application Security Engineer
jim.manico@aspectsecurity.com | jim@manico.net
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message