RE: The role static analysis tools play in uncovering elements of design

[crispin at novell.com (Crispin Cowan)]

Jeff Williams wrote:
> I think there's a lot more that static analysis can do than what you're
> describing. They're not (necessarily) just fancy pattern matchers.
> ...
> Today's static analysis tools are only starting to help here. Tools focused
> on dumping out a list of vulnerabilities don't work well for me. Too many
> false alarms.  Maybe that's what you meant by 'inhibit'.
>   
In the general case, I think that any kind of analysis tool (static
analyzer, fuzzing tool, debugger, whatever) focuses the analyst's
attention on whatever aspects the tool author thought was important.
Whether this is a good or bad thing depends on whether you agree with
the author.

Using no tools at all just imposes a different bias filter, as humans
are (relatively) good at spotting some kinds of patterns, and not others.

Crispin

> --Jeff
>  
> Jeff Williams, CEO
> Aspect Security
> http://www.aspectsecurity.com
> email: jeff.williams at aspectsecurity.com
> phone: 410-707-1487
>  
> ________________________________________
> From: John Steven [mailto:jsteven at cigital.com] 
> Sent: Friday, February 03, 2006 1:40 PM
> To: Jeff Williams; Secure Coding Mailing List
> Subject: The role static analysis tools play in uncovering elements of
> design 
>
> Jeff,
>
> An unpopular opinion I?ve held is that static analysis tools, while very
> helpful in finding problems, inhibit a reviewer?s ability to find collect as
> much information about the structure, flow, and idiom of code?s design as
> the reviewer might find if he/she spelunks the code manually.
>
> I find it difficult to use tools other than source code navigators (source
> insight) and scripts to facilitate my code understanding (at the
> design-level). 
>
> Perhaps you can give some examples of static analysis library/tool use that
> overcomes my prejudice?or are you referring to the navigator tools as well?
>
> -----
> John Steven                                   
> Principal, Software Security Group
> Technical Director, Office of the CTO
> 703 404 5726 - Direct | 703 727 4034 - Cell
> Cigital Inc.          | jsteven at cigital.com
>
> 4772 F7F3 1019 4668 62AD  94B0 AE7F EEF4 62D5 F908
>
>   
> ----snipped----
> Static analysis tools can help a lot here. Used properly, they can provide
> design-level insight into a software baseline. The huge advantage is that
> it's correct.
>
> --Jeff 
> ----snipped----
> ________________________________________
> This electronic message transmission contains information that may be
> confidential or privileged. The information contained herein is intended
> solely for the recipient and use by any other party is not authorized. If
> you are not the intended recipient (or otherwise authorized to receive this
> message by the intended recipient), any disclosure, copying, distribution or
> use of the contents of the information is prohibited. If you have received
> this electronic message transmission in error, please contact the sender by
> reply email and delete all copies of this message. Cigital, Inc. accepts no
> responsibility for any loss or damage resulting directly or indirectly from
> the use of this email or its contents.
> Thank You.
> ________________________________________
>
>
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
>   

-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com
        Olympic Games: The Bi-Annual Festival of Corruption