[Owasp-leaders] HP NEWS: Briefing on the First Real-time Application Security Analysis Solution

Andre Gironda andreg at gmail.com
Thu Apr 28 17:34:05 EDT 2011

On Thu, Apr 28, 2011 at 1:24 PM, Jim Manico <jim.manico at owasp.org> wrote:
> Dre,
> I actually think those are fair and good questions.

Ok, I'll move on to the harder ones then.

Why doesn't Fortify SCA support Perl, PHP, Python, Ruby, or other
dynamic languages? While it's common knowledge that managed code
languages such as Java Enterprise, .NET, and ASP/JSP can fall back to
their type system for static analysis -- some tools such as Ruby flog
have been developed in the FOSS world that get around these issues.

Before they answer that Fortify has support for some of those
languages, it would be nice to explain that RIPS for PHP and similar
point-solution FOSS tools have significantly better (in terms of risk
management) findings, as well as several orders of magnitude less
error rates (FP/FNs) -- and are easier to use.

Why does WebInspect and AMP require a significant amount of hardware
resources (and external RDBMSes) compared to, say, Arachni or w3af,
which seem to have similar findings with similar error rates? The
footprint of WI/AMP is huge by comparison -- yet a feature-by-feature
comparison would have you believe that the FOSS solutions provide more
value than the commercial solutions, with easier installation and
other significant competitive advantages. Even SAFEcode believes this
to be true -- as they recommend w3af as the only DAST solution in
their guidance. Do you have any plans to "slim down" these products?

If Fortify PTA (or a successor) is going to work with DAST tools to
provide a DAST+SAST capabilities, then why won't it also work with
FOSS or low-cost tools such as Burp Suite Professional, Netsparker,
w3af, sqlmap, Metasploit, x5s, fimap, wXf, BeEF, Arachni, JavaSnoop,
or skipfish? Again, the footprint of building something like
PTA+WebInspect would only increase the hardware and component

If the focus is on combining software quality tools with application
security -- why haven't we seen more HP/Fortify integration with
SmartBear Software AutomatedQA TestComplete, Selenium IDE, Selenium RC
/ Bromine (and derivatives, including flash-selenium and
silverlight-selenium), WebDriver, Watir (and derivatives, including
WatiN, Waitj, firewatir, flash-watir) or even HP's own QTP?

Ok I'll stop with the harshing. How about something nice to say? Try:

Thanks for bringing the community SWFScan. It's still the only free
tool that can decompile AS2 and AS3 -- and additionally it happens to
include security analysis functionality as well. Have any updates or
research been done into Flash/Flex/AIR and ActionScript security since
its release? Will the community ever get to see an update to SWFScan
or perhaps other tools that can help them with securing RIA

HP ASC has worked in the past with many outside appsec consulting
companies, such as Stach & Liu and Gotham Digital Science -- yet there
are at least 12 application penetration-testing groups inside HP. Is
there any plan to get these companies and internal groups working
together and establish thought leadership in order to build a strong
community around HP ASC products/services?

Fortify has graciously donated resources to OWASP in many forms --
what is HP/Fortify's plans to give aid to OWASP in the future?

More information about the OWASP-Leaders mailing list