Home page logo

bugtraq logo Bugtraq mailing list archives

RE: ITS4 from Cigital flawed
From: Gary McGraw <gem () cigital com>
Date: Thu, 21 Feb 2002 10:53:56 -0500

Both Microsoft and Cigital are committed to building secure and reliable
software.  Though simple tools can help, there is really  no substitute for
arming developers and architects with the information they need about
security.  Both "Building Secure  Software" and "Writing Secure Code" are
excellent resources that coders should use.

Cigital's open source security tool ITS4 was released two years ago as an
extensible framework for scanning code.  ITS4 and  related static analysis
approaches are only as strong as the rules they apply. We encourage
Microsoft and others to create more  rules for ITS4 (and other tools) and
make those rules available for all developers and analysts.  Before ITS4, no
such collection  of rules existed.  We believe directed code review using
static analysis tools to assist is the best way to detect potential security
coding errors, and that education and training are the best ways to prevent

Source code review is only one part of a complete approach to software
security.  There are currently no automated solutions  to architectural
review which is clearly as important as ferreting out implementation

Gary McGraw

p.s. More relevant technical criticism of ITS4 can be found in John Viega,
J.T. Bloch, Tadayoshi Kohno & Gary McGraw  (2000) ITS4: A Static
Vulnerability Scanner for C and C++ Code. In the Proceedings of ACSAC 2000,
December, 2000.   Parser-based approaches provide a superior framework for

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]