Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Static and Dynamic Analysis

From: Jared DeMott <jdemott () vdalabs com>
Date: Mon, 11 Feb 2019 14:32:15 -0500
We use and have access to a number of both types of tools when we do dev
training and pentesting.  We find them fairly useful both for dev and for
red teaming.
On the dynamic side, we wrote a recent blog here:
https://www.vdalabs.com/2019/02/01/microsoft-security-risk-detection-writing-a-custom-test-harness-to-fuzz-libraries/
We'd be happy to connect ppl to MS if they're interested in buying time on
their range.

Thanks!
Jared


On Mon, Feb 11, 2019 at 2:00 PM Dave Aitel <dave.aitel () gmail com> wrote:


So one thing I often find weird about our industry is how it gets taken
over by marketing language and the utility of entire classes of products
gets clouded over. For example, part of any SDLC is going to be static and
dynamic analysis. However, if you ask a normal security manager what kinds
of bugs these sorts of products find or don't find, and what the false
positive levels are, they find it hard to answer, even assuming they use
them.

What I'm trying to do with INFILTRATE's Java Hacking
<http://infiltratecon.com/training/> class is get access to a modern
static analysis tool and be able to plug the class exercises into it. This
way, not only do you have a corpus of "Correct" vulnerabilities, but you
get to see what it looks like through the "Source-to-sink" algorithms, and
how to tell true positives from false positives, and also examine false
negatives.

Likewise, judging a static analysis tool is often about figuring out where
they set their dial. When you talk to the Chris's they will say they have
VERY LOW false positives, which is never my experience with any tool in
this area. But you can dial UP the false negatives to get lower false
positives for any tool like this. BUT DO YOU WANT TO? These are important
trade off questions that need to be examined in the wild as opposed to
through marketing.

Anyways, sign up for the class, because it is a great class, and this may
be the first time anyone has done a corpus test on a static analysis tool
during class. :)

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave




-- 
Thanks,

Dr. Jared DeMott
Founder, VDA Labs
www.vdalabs.com

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: