Comments on: Musings on Custer’s Last Stand

By: Blog Lists of the Best Security Blogs (Worth a Read/Bookmarks)

Blog Lists of the Best Security Blogs (Worth a Read/Bookmarks) — Thu, 08 Mar 2012 15:14:31 +0000

[...] Veracode Blog http://www.veracode.com/blog/2011/08/musings-on-custers-last-stand/ [...]

By: Veracode Blog » Welcome to the NEW Veracode Blog!

Veracode Blog » Welcome to the NEW Veracode Blog! — Wed, 21 Dec 2011 01:57:15 +0000

[...] And we’ll never shy away from controversy as Chris Wysopal demonstrated in his response to the Oracle CSO blog attacking Veracode and Chris Eng’s recent post about the dysfunction that often exists between developers and the [...]

By: So-so SASO … So What? | BlogInfoSec.com

So-so SASO … So What? | BlogInfoSec.com — Mon, 26 Sep 2011 10:01:48 +0000

[...] I was pointed to Veracode’s Chris Wysopal’s response “Musings on Custer’s Last Stand” at http://www.veracode.com/blog/2011/08/musings-on-custers-last-stand/ by an email from Tom Brennan of OWASP. The result was that I thought I should begin again and [...]

By: Larry

Larry — Fri, 16 Sep 2011 15:32:21 +0000

It’s odd how Guys like Andre Gironda can defend Oracle avoiding any comments about facts as:
- Their laughable “Unbreakable” marketing campaign was famously debunked by security expert David Litchfield
- They’ve also earned a reputation for glacial response times and sloppy patches.

He is right we may leave Oracle alone, completely alone…Avoiding to buy crappy Software.

By: Network Security Podcast, Episode 253 » 信息安全播客

Network Security Podcast, Episode 253 » 信息安全播客 — Wed, 07 Sep 2011 13:43:20 +0000

[...] Pissing match between Oracle and Veracode. [...]

By: Chris Wysopal

Chris Wysopal — Wed, 07 Sep 2011 13:28:02 +0000

While 3rd party testing is important for people consuming software, SDLC based testing is important for people building software. Testing after the software is built certainly does not replace security processes during the SDLC. It is merely verification that those processes took place. The majority of Veracode customers are using our service during the SDLC to build secure software. Some do 3rd party testing in addition but not all.

We believe enterprise application security programs cannot stop at the code you write but must include testing of the components and libraries you use to build your internal software and must include testing of software packages you purchase.

Advocating for 3rd party testing does not mean we don’t believe the best place for software security testing isn’t the SDLC. We also don’t believe automated testing is all that should be done during the SDLC to produce secure software. We think training is incredibly important and offer dozens of eLearning courses. We also think application security experts should be part of any SDLC so we have dozens of partners that can perform threat modeling, design reviews, secure architecture, and manual security testing for our customers in concert with our automation.

Automated testing is part of the application security solution. It is our focus but since day one as a company over 5 years ago we have never said automated testing was a complete application security solution. It will always be people process and technology.

By: Network Security Blog » Network Security Podcast, Episode 253

Network Security Blog » Network Security Podcast, Episode 253 — Tue, 06 Sep 2011 23:57:23 +0000

[...] Pissing match between Oracle and Veracode. [...]

By: Network Security Podcast » Blog Archive » Network Security Podcast, Episode 253

Tue, 06 Sep 2011 23:56:17 +0000

[...] Pissing match between Oracle and Veracode. [...]

By: Hannibal Lecter

Hannibal Lecter — Sat, 03 Sep 2011 04:46:07 +0000

“Though not unusual for CSO’s in the Fortune 500 at large, Davidson’s lack of formal training in technology stands out among CSO’s for major technology companies; her peers include former software developer John Stewart, CSO of Cisco Systems, computer forensics expert Howard Schmidt, former CSO of Microsoft, and famed cryptographer Whitfield Diffie, CSO of Sun Microsystems.”

By: Larry Suto

Larry Suto — Thu, 01 Sep 2011 04:56:54 +0000

I think it is important to have the option of an ecosystem where you can outsource scanning and static analysis because it can provide valuable information that leads to the discovery of security problems.

The problem is that software security requires predictions to be be made on state transitions in some very complex execution contexts. The simple state tracing automata that we have today is woefully inadequate just ask any one who has done manual code review for any length of time.

I think Veracode provides a valuable service but since static analysis still has a long way to go it is just not enough for providing a reasonable sense of assurance on any software system of significant complexity.