Re: [SC-L] RE: The role static analysis tools play in uncovering elements of design

2006-02-07 Thread Crispin Cowan
Jeff Williams wrote: I think there's a lot more that static analysis can do than what you're describing. They're not (necessarily) just fancy pattern matchers. ... Today's static analysis tools are only starting to help here. Tools focused on dumping out a list of vulnerabilities don't work

[SC-L] RE: The role static analysis tools play in uncovering elements of design

2006-02-05 Thread Brian Chess
Jeff Williams [EMAIL PROTECTED] wrote: I think there's a lot more that static analysis can do than what you're describing. They're not (necessarily) just fancy pattern matchers. Jeff, you raise a important point. Getting good value out of static analysis requires a second component in

[SC-L] RE: The role static analysis tools play in uncovering elements of design

2006-02-04 Thread Jeff Williams
I think there's a lot more that static analysis can do than what you're describing. They're not (necessarily) just fancy pattern matchers. Static analysis can add security meta-information to a software baseline. If the tool knows which methods are related to which security mechanisms, it can