Re: @stake SafeApps

["Matt Hargett" <matt () use net>]

> On Tue, Nov 25, 2003 at 12:45:40AM +0100, Halvar Flake wrote:
> > > I think this is cool, though. More competition in this space will mean
th
> > > at
> > > the tools will just get better faster and in turn software will be
made m
> > > ore
> > > secure faster. (I am such a QA nerd.)
> >
> > And boy, they do need to get better fast :-P
> I thought you would be opposed, I mean when they get good won't they put
> you out of work?

Halvar and I have already had this conversation, but for the benefit of the
others on this list to flame me, here is my take resummarized :)

I don't think it puts anyone out of work. It's like saying scanners replace
pen-testers. They generally only replace the really shitty ones who were
scammers in the first place, trying to get by on name or reputation alone.
We tell our customers that these tools are by no means a replacement for
manual reviews or runtime fault injection/fuzzing/whatever the fuq it's
called this week. I never use just one tool of any kind, because in my
experience, you will miss things. Even multiple tools with the same approach
is something I would recommend. For example, I used Purify exclusively for
years. Then I tried Insure++ on some Purify-clean code and found some
heinous bugs that had been lurking. Same thing with PC-Lint and
Prefix/Prefast. (So far valgrind hasn't found anything insure++ didn't, but
valgrind is free.)

I do honestly think these tools individually raise the bar, but real
progress can only be made by using them all together (I'm avoiding the word
synergy here.). If I didn't think it helped, I wouldn't be spending my time
working in this space

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave