Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Fwd: Re: tools to scan source code
From: Nicolas RUFF <nicolas.ruff () gmail com>
Date: Thu, 14 Sep 2006 10:10:20 +0200

Static parsers do not find security flaws (security defects in
architecture and
design) that can only be found with manual secure code reviews and
secure architecture
design review.


Static analysis is very good at finding "mathematically provable" flaws
(ie. writing at offset 11 of a 10-element array).

However I do not know any analyzer of any kind that would raise an alarm
on a trivial backdoor such as hardcoded username/password ...

I am not even sure this is mathematically feasible ...

Conclusion : tools are *very* useful (especially code browsing tools),
but manual auditing can still find bugs that nothing else ever could.

- Nicolas RUFF

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]