On Sun, Jun 29, 2008 at 12:49:34PM -0400, Dave Aitel wrote:
> I don't know if that's ever going to happen, but it's clear that what we
> have now is not even close to sustainable. It's a model that fails under
> exponential growth, like Twitter or anti-virus signatures.
>
> I've always wondered about the rest of our technology that fails in a
> similar way. Why do our application assessment tools not also fix the
> bugs they find?
Because they also find false positive?
> If you're trying to buy web application scanning, then
> your scanner should also be updating the application to fix those pesky
> SQL Injection bugs. Your binary/source analysis tool should be svn
> commiting patches to fix your overflows. If you have to rely on a
> developer to understand the bugs themselves, it doesn't scale. Your
> network attack tool should upload and run the right patch
> automatically.[1] Does the modern generation of scanners do this?
You proposition seems to fall between the "Automatic programming" and
"Program verification" paragraphs of the 1986 No Silver Bullet paper. I
suggest you reread it.
_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Received on Jun 29 2008
Intro
