Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: True Source Code Analysis for Security
From: John Kinsella <jlk () thrashyour com>
Date: Mon, 2 Nov 2009 17:36:11 -0800

Note to self: Always trust "white papers" that say things like "This is not a sales-pitch."

Maty, could you cite examples "many" vendors you're talking about? Otherwise this has little value and cannot be vetted.

Regarding your "Non Linking Code" example, there's a reason we want the libraries so we can accurately compile the code - with the code sample given, external libs could be filtering either user input or the sql statements.

I'm writing this as somebody who has used several major SCA tools - a quick glance of your company's site looks interesting, but right now I feel like I'm being marketed to.

John

On Oct 29, 2009, at 8:34 AM, Maty Siman wrote:

Source Code Analysis has become the de facto choice to introduce secure
development as well as gauge inherent software risk.
The irony is that source code analysis doesn‘t often look at the source at all. In fact, the majority of the products are using Binary analysis or byte-code analysis (BCA) created by the compiler. This method saves a great deal of effort when developing the analysis tools, but lowers drastically
the usability and accuracy of the results.

This technical paper – with detailed code examples – from Checkmarx research
labs, fills this gap and explains how developers, auditors and cloud
platform providers benefit from the inherent advantages of true source code
analysis tool.

http://www.checkmarx.com/NewsDetails.aspx?id=27&cat=3


Maty Siman, CISSP
Founder, CTO
Checkmarx Ltd.
www.checkmarx.com









------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]