Jeff Williams wrote: > I think there's a lot more that static analysis can do than what you're > describing. They're not (necessarily) just fancy pattern matchers. > ... > Today's static analysis tools are only starting to help here. Tools focused > on dumping out a list of vulnerabilities don't work well for me. Too many > false alarms. Maybe that's what you meant by 'inhibit'. > In the general case, I think that any kind of analysis tool (static analyzer, fuzzing tool, debugger, whatever) focuses the analyst's attention on whatever aspects the tool author thought was important. Whether this is a good or bad thing depends on whether you agree with the author.
Using no tools at all just imposes a different bias filter, as humans are (relatively) good at spotting some kinds of patterns, and not others. Crispin > --Jeff > > Jeff Williams, CEO > Aspect Security > http://www.aspectsecurity.com > email: [EMAIL PROTECTED] > phone: 410-707-1487 > > ________________________________________ > From: John Steven [mailto:[EMAIL PROTECTED] > Sent: Friday, February 03, 2006 1:40 PM > To: Jeff Williams; Secure Coding Mailing List > Subject: The role static analysis tools play in uncovering elements of > design > > Jeff, > > An unpopular opinion I’ve held is that static analysis tools, while very > helpful in finding problems, inhibit a reviewer’s ability to find collect as > much information about the structure, flow, and idiom of code’s design as > the reviewer might find if he/she spelunks the code manually. > > I find it difficult to use tools other than source code navigators (source > insight) and scripts to facilitate my code understanding (at the > design-level). > > Perhaps you can give some examples of static analysis library/tool use that > overcomes my prejudice—or are you referring to the navigator tools as well? > > ----- > John Steven > Principal, Software Security Group > Technical Director, Office of the CTO > 703 404 5726 - Direct | 703 727 4034 - Cell > Cigital Inc. | [EMAIL PROTECTED] > > 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908 > > > ----snipped---- > Static analysis tools can help a lot here. Used properly, they can provide > design-level insight into a software baseline. The huge advantage is that > it's correct. > > --Jeff > ----snipped---- > ________________________________________ > This electronic message transmission contains information that may be > confidential or privileged. The information contained herein is intended > solely for the recipient and use by any other party is not authorized. If > you are not the intended recipient (or otherwise authorized to receive this > message by the intended recipient), any disclosure, copying, distribution or > use of the contents of the information is prohibited. If you have received > this electronic message transmission in error, please contact the sender by > reply email and delete all copies of this message. Cigital, Inc. accepts no > responsibility for any loss or damage resulting directly or indirectly from > the use of this email or its contents. > Thank You. > ________________________________________ > > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Olympic Games: The Bi-Annual Festival of Corruption _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php