David A. Wheeler wrote: > Brian Chess (brian at fortifysoftware dot com) said: >> False positives: >> Nobody likes dealing with a pile of false positives, and we work hard to >> reduce false positives without giving up potentially exploitable >> vulnerabilities. > I think everyone agrees that there are "way too many false positives" > in the sense that "there are so many it's annoying and it costs money > to check them out" in most of today's tools. > > But before you say "tools are useless" you have to ask, "compared to > what?" > Manual review can find all sorts of things, but manual review is likely > to miss many serious problems too. ESPECIALLY if there are only a > few manual reviewers for a large codebase, an all-too-common situation. I would like to introduce you to my new kick-ass scanning tool. You run it over your source code, and it only produces a single false-positive for you to check out. That false positive just happens to be the complete source code listing for your entire program :)
Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
