Hey there, > If you couldn't insert "ignore" directives, many people > wouldn't use such tools at all, and would release code with > vulnerabilities that WOULD be found by such tools.
Of course, much like an IDS, you have to find the baseline and adjust your ruleset according to the norm, if it is constantly firing on someone accessing /index.html of your website, then that's working against you. I am not disagreeing with the fact the static source analysis is a good thing, I am just saying that this is a case where it failed (or maybe the user/developer of it failed or misunderstood it's use). Fair enough that on this particular list you are going to defend source analysis over any other method, it is about secure coding after all, but I definitely still strongly disagree that other methods wouldn't have found this bug. Shall we take a look at the customer lists of the big source analyzer companies, and then cross-map that to the number of vulnerabilities released? Why are we still finding bugs in software that have the SDL? Why are we still finding bugs in software that have been analyzed before the compiler has run? Why are these companies like Fortify charging an arm and a leg for such a technology when the bughunters are still beating the snot out of this stuff? You guys all have much more experience on that end, so I am looking forward to your responses! Cheers! JS _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________