Jeff Williams wrote:
> I think there's a lot more that static analysis can do than what you're
> describing. They're not (necessarily) just fancy pattern matchers.
> ...
> Today's static analysis tools are only starting to help here. Tools focused
> on dumping out a list of vulnerabilities don't work well for me. Too many
> false alarms.  Maybe that's what you meant by 'inhibit'.
In the general case, I think that any kind of analysis tool (static
analyzer, fuzzing tool, debugger, whatever) focuses the analyst's
attention on whatever aspects the tool author thought was important.
Whether this is a good or bad thing depends on whether you agree with
the author.

Using no tools at all just imposes a different bias filter, as humans
are (relatively) good at spotting some kinds of patterns, and not others.


> --Jeff
> Jeff Williams, CEO
> Aspect Security
> phone: 410-707-1487
> ________________________________________
> From: John Steven [mailto:[EMAIL PROTECTED] 
> Sent: Friday, February 03, 2006 1:40 PM
> To: Jeff Williams; Secure Coding Mailing List
> Subject: The role static analysis tools play in uncovering elements of
> design 
> Jeff,
> An unpopular opinion I’ve held is that static analysis tools, while very
> helpful in finding problems, inhibit a reviewer’s ability to find collect as
> much information about the structure, flow, and idiom of code’s design as
> the reviewer might find if he/she spelunks the code manually.
> I find it difficult to use tools other than source code navigators (source
> insight) and scripts to facilitate my code understanding (at the
> design-level). 
> Perhaps you can give some examples of static analysis library/tool use that
> overcomes my prejudice—or are you referring to the navigator tools as well?
> -----
> John Steven                                   
> Principal, Software Security Group
> Technical Director, Office of the CTO
> 703 404 5726 - Direct | 703 727 4034 - Cell
> Cigital Inc.          | [EMAIL PROTECTED]
> 4772 F7F3 1019 4668 62AD  94B0 AE7F EEF4 62D5 F908
> ----snipped----
> Static analysis tools can help a lot here. Used properly, they can provide
> design-level insight into a software baseline. The huge advantage is that
> it's correct.
> --Jeff 
> ----snipped----
> ________________________________________
> This electronic message transmission contains information that may be
> confidential or privileged. The information contained herein is intended
> solely for the recipient and use by any other party is not authorized. If
> you are not the intended recipient (or otherwise authorized to receive this
> message by the intended recipient), any disclosure, copying, distribution or
> use of the contents of the information is prohibited. If you have received
> this electronic message transmission in error, please contact the sender by
> reply email and delete all copies of this message. Cigital, Inc. accepts no
> responsibility for any loss or damage resulting directly or indirectly from
> the use of this email or its contents.
> Thank You.
> ________________________________________
> _______________________________________________
> Secure Coding mailing list (SC-L)
> List information, subscriptions, etc -
> List charter available at -

Crispin Cowan, Ph.D.            
Director of Software Engineering, Novell
        Olympic Games: The Bi-Annual Festival of Corruption

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -

Reply via email to