I think there's a lot more that static analysis can do than what you're describing. They're not (necessarily) just fancy pattern matchers.
Static analysis can add security meta-information to a software baseline. If the tool knows which methods are related to which security mechanisms, it can help you find, navigate, and understand their design. The tools help me generate a security 'view' of a software baseline. Does the application do encryption? Is it centralized? What algorithms are used? What data flows are affected? Are there any paths around the encryption? Where are the keys stored? Is there proper error handling and logging for the encryption mechanism? Static analysis tools make answering all these questions easier. Today's static analysis tools are only starting to help here. Tools focused on dumping out a list of vulnerabilities don't work well for me. Too many false alarms. Maybe that's what you meant by 'inhibit'. --Jeff Jeff Williams, CEO Aspect Security http://www.aspectsecurity.com email: [EMAIL PROTECTED] phone: 410-707-1487 ________________________________________ From: John Steven [mailto:[EMAIL PROTECTED] Sent: Friday, February 03, 2006 1:40 PM To: Jeff Williams; Secure Coding Mailing List Subject: The role static analysis tools play in uncovering elements of design Jeff, An unpopular opinion Ive held is that static analysis tools, while very helpful in finding problems, inhibit a reviewers ability to find collect as much information about the structure, flow, and idiom of codes design as the reviewer might find if he/she spelunks the code manually. I find it difficult to use tools other than source code navigators (source insight) and scripts to facilitate my code understanding (at the design-level). Perhaps you can give some examples of static analysis library/tool use that overcomes my prejudiceor are you referring to the navigator tools as well? ----- John Steven Principal, Software Security Group Technical Director, Office of the CTO 703 404 5726 - Direct | 703 727 4034 - Cell Cigital Inc. | [EMAIL PROTECTED] 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908 ----snipped---- Static analysis tools can help a lot here. Used properly, they can provide design-level insight into a software baseline. The huge advantage is that it's correct. --Jeff ----snipped---- ________________________________________ This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
