Home page logo

pen-test logo Penetration Testing mailing list archives

Re: True Source Code Analysis for Security
From: Jason Ross <algorythm () gmail com>
Date: Tue, 3 Nov 2009 01:28:52 -0500

On Thu, Oct 29, 2009 at 10:34 AM, Maty Siman <maty () checkmarx com> wrote:
This technical paper – with detailed code examples – from Checkmarx research
labs, fills this gap and explains how developers, auditors and cloud
platform providers benefit from the inherent advantages of true source code
analysis tool.


Maty Siman, CISSP
Founder, CTO
Checkmarx Ltd.

I was all set to call foul and shun this as spam but decided to give the
paper a look-through first. FWIW, while there's not a lot of real meat to
the doc, there's also no direct "buy our junk" either.

I do think the sample code is a bit unfair (eg. putting in non-compiling
code and claiming that because it doesn't compile it won't be analyzed
correctly. Since that same code would need to compile in order for the
app to be used, the bugs causing compilation to fail would be fixed, at
which point the binary analysis could resume.)

That said, I don't disagree with the premise: manual > automated, especially
in a maze of twisty passages, like source code analysis.


This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]