An unpopular opinion I’ve held is that static analysis tools, while very helpful in finding problems, inhibit a reviewer’s ability to find collect as much information about the structure, flow, and idiom of code’s design as the reviewer might find if he/she spelunks the code manually.
I find it difficult to use tools other than source code navigators (source insight) and scripts to facilitate my code understanding (at the design-level).
Perhaps you can give some examples of static analysis library/tool use that overcomes my prejudice—or are you referring to the navigator tools as well?
Principal, Software Security Group
Technical Director, Office of the CTO
703 404 5726 - Direct | 703 727 4034 - Cell
Cigital Inc. | [EMAIL PROTECTED]
4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908
Static analysis tools can help a lot here. Used properly, they can provide
design-level insight into a software baseline. The huge advantage is that
This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents.
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php