Fortify Advances Vulnerability Testing with HP

W2eeGn ohfzpdyiyqhi, [url=http://pucdzdkdmpav.com/]pucdzdkdmpav[/url], [link=http://ylypqlmqynaw.com/]ylypqlmqynaw[/link], http://anfewjevwshk.com/

This isn't at all interesting. Organizations have been able to create their own self-service portals with a lot more customization and information using free and/or open-source tools. Take for example these sets of tools at work: 1) w3af (or the Web Application Attack and Audit Framework) -- FOSS on Sourceforge 2) Burp Suite (Burp Suite Pro is a US$200 commercial product) -- Free 3) ratproxy (written by Michal Zalewski who works for Google and also owns the browsersec project) -- FOSS on Google Code 4) Casaba Watcher (Web security testing tool compatible with OWASP ASVS) -- FOSS on Codeplex There are open-source tools that emulate Fortify Program Trace Analyzer such as EMMA. FindBugs and CAT.NET work in a similar way as Fortify's static analysis suite. I've seen a few people comment on Twitter about this URL. They indicate that this solution (HP and Fortify) is better than IBM's through their Watchfire and Ounce acquisitions. However, Ounce has a dedicated open-source front-end to their commercial static analysis engine, which Dinis Cruz calls "O2" for "Ounce Open". O2 is highly regarded as the best framework for application security vulnerability inspection. Ask any highly regarded application security professional or team (e.g. Cigital, Aspect Security, Booz Allen Hamilton, et al). To disclose my bias: I am not an open-source fan or fanatic. I do not (and have not worked) with any of these companies or products, but I am first-hand familiar with most or all of their creators, internals, and design/architecture. I like products that work for Enterprises. Application lifecycle management hooks from HP, Fortify, and IBM such as "Hybrid 2.0", "Quality Manager", "Quality Center", "Assessment Management Platform (AMP)", et al do not currently work as advertised. They also do not and will not "allow developers to see how an attack is exploiting vulnerabilities in their applications in real time". There are fundamental flaws to what you describe as the "two schools of application vulnerability testing". Gartner has not yet picked up on the subtle differences -- many industry analysts are missing the mark on the application security industry. This could be true because the industry is polluted with many people with self-interests. For example, Alan Paller and his associates at SANS have been well-known for the deceptive practices. They are currently borrowing heavily from OWASP (a non-profit organization that promotes application security through a wiki made up of Creative Commons licensed material and open-source application security helper-tools), often without crediting the original source. Another example would be Gary McGraw, who is the CTO of Cigital (one of the largest application security consulting companies) -- who markets some of the fantastic work at Cigital wrongly as "science" and has other sociopathic behaviors. Finally, the worst offender is Jeremiah Grossman, CTO of WhiteHat Security, who blogs and twitters as a "security/hacker insider" when his ultimate goal is to market and sell his company's solution. Jeremiah comes from the one-sided "black-box" school of application vulnerability testing, and consistently goes against industry-approved solutions (promoting his own as the ONLY solution) and peer review.