Home page logo
/

dailydave logo Dailydave mailing list archives

Re: The Static Analysis Market and You
From: "Dave Korn" <dave.korn () artimi com>
Date: Tue, 14 Oct 2008 19:25:13 +0100

Dave Aitel wrote on 14 October 2008 15:53:

 One
possibility is that more research dollars will flood into the space
and the technology will get better and live up to its marketing.
Another possibility is that no matter how much you spend, pure static
analysis can't do the things you want it to do (the IBM and to some
extent Fortify bet).

Which is it?

  You really asking, or is that just rhetorical?  It's blatantly option B.

  If your code compiles without warnings and lint errors, you've probably
already got 99% of what these tools can do for you, for free.  And the other
1% is the stuff that needs a skilled human being to look at it, anyway; until
we get a real AI working on it, none of this stuff is a great deal more subtle
than "grep -R strcpy *".

[1] http://www.armorize.com/corpweb/en/products/codesecure

  Had to read the source just to even get a look at that one, and found a bit
that made me LOLWTF:

        </table>
<script>
        //var path = '../';

        //for(i=1; i<level; i++) path = path + "../";
        //for(j=1; j<10; j++) document.getElementById('img'+j).src = path +
'imgs/list2.jpg';
        //alert('http://www.armorize.com/corpweb&apos;);
        /*var app=navigator.appName.substring(0,1);
        if(app=='M')
        {
                for(k=1; k<10; k++)
                {
                        document.getElementById('link'+k).href = path +
document.getElementById('link'+k).getAttribute('href');
                }
                alert(document.getElementById('link1').href);
        }
        else
        {
                for(k=1; k<10; k++) document.getElementById('link'+k).href =
path + document.getElementById('link'+k).getAttribute('href');
        }*/
</script>


  Heh.  Disabled now, but it really does look a lot like at some point
somebody had never heard of absolute paths ...


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]