I think there's a lot more that static analysis can do than what you're
describing. They're not (necessarily) just fancy pattern matchers.

Static analysis can add security meta-information to a software baseline. If
the tool knows which methods are related to which security mechanisms, it
can help you find, navigate, and understand their design. The tools help me
generate a security 'view' of a software baseline.

Does the application do encryption? Is it centralized? What algorithms are
used? What data flows are affected? Are there any paths around the
encryption? Where are the keys stored? Is there proper error handling and
logging for the encryption mechanism? Static analysis tools make answering
all these questions easier.

Today's static analysis tools are only starting to help here. Tools focused
on dumping out a list of vulnerabilities don't work well for me. Too many
false alarms.  Maybe that's what you meant by 'inhibit'.

Jeff Williams, CEO
Aspect Security
phone: 410-707-1487
From: John Steven [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 03, 2006 1:40 PM
To: Jeff Williams; Secure Coding Mailing List
Subject: The role static analysis tools play in uncovering elements of


An unpopular opinion I’ve held is that static analysis tools, while very
helpful in finding problems, inhibit a reviewer’s ability to find collect as
much information about the structure, flow, and idiom of code’s design as
the reviewer might find if he/she spelunks the code manually.

I find it difficult to use tools other than source code navigators (source
insight) and scripts to facilitate my code understanding (at the

Perhaps you can give some examples of static analysis library/tool use that
overcomes my prejudice—or are you referring to the navigator tools as well?

John Steven                                   
Principal, Software Security Group
Technical Director, Office of the CTO
703 404 5726 - Direct | 703 727 4034 - Cell
Cigital Inc.          | [EMAIL PROTECTED]

4772 F7F3 1019 4668 62AD  94B0 AE7F EEF4 62D5 F908

Static analysis tools can help a lot here. Used properly, they can provide
design-level insight into a software baseline. The huge advantage is that
it's correct.

This electronic message transmission contains information that may be
confidential or privileged. The information contained herein is intended
solely for the recipient and use by any other party is not authorized. If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited. If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message. Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.

Secure Coding mailing list (SC-L)
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

Reply via email to