« Secure Programming with Static Analysis | Main | Exploiting Online Games »

Speaking of Secure Programming

A few months ago, while we were still in the thick of finishing off the book (Secure Programming with Static Analysis) and hadn't yet started focusing on selling it, Brian and I recorded and interview with Informit's new OnSoftware podcast where we talked about software security and the kind of material we cover in the book.

Well, months later the book is finished and now the interview we recorded is available for mass consumption through iTunes as either a video or audio podcast. You can subscribe to the podcast series on www.onpodcastweekly.com or link directly to our episode at http://media.podhoster.com/peachpittv/05_SOF_ChessWest_01.mp4.

Secure Programming with Static Analysis has gotten some nice attention from other sources, too. Gary McGraw recently posted the forward he wrote for the book on his Justice League security blog http://www.cigital.com/justiceleague/2007/07/06/from-the-foreword-to-secure-programming-with-static-analysis and SANS has a nice interview with Brian up at http://www.sans.edu/resources/securitylab/brian_chess.php. I particularly like the part in the SANS interview where Brian takes credit for all the typos in the book ;-).

Posted by Jacob West on July 10, 2007 12:03 PM |

Comments (2)

James:

Some vendors believe that tools to scan source for developers should be free and that they should charge for consoles. Could you provide in your next blog entry your thoughts on this matter?

Likewise, any future thoughts on why software vendors aren't purchasing tools such as the one you offer would be great.

Posted by James | August 6, 2007 6:24 AM

Posted on August 6, 2007 06:24

Jacob West:

James,

Thanks for your comments and questions.

When it comes to static analysis tools, I'm a firm believer that you cannot overestimate the value of the interface they provide auditors. Without a strong user interface potential bugs are harder to evaluate, the evidence the tool has about whether a bug is real is harder to verify, and decisions made during an audit are harder to persist and propagate.

With that said, a great deal of effort goes into the internals of a good analysis tool and I think it's unlikely that the amount of research and development efforts necessary to maintain the level of innovation we've come to expect could continue if the offering were not a commercial product.

As for software vendors, they are definitely buying and using tools to help them build secure software. Microsoft, Apple, Adobe, EMC, Symantec, Oracle are all heavy users of static analysis technologies and they are only the top of the ice burg.

Cheers,

Jacob

Posted by Jacob West | August 9, 2007 9:59 AM

Posted on August 9, 2007 09:59

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Presented By

House Rules

This blog is a place for discussion and feedback, both positive and negative. If you post here, you are agreeing to the following Participation Policy...more

Meet the Bloggers

Recent Posts

About

This page contains a single entry from the blog posted on July 10, 2007 12:03 PM.

The previous post in this blog was Secure Programming with Static Analysis.

The next post in this blog is Exploiting Online Games.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.34