Re: True Source Code Analysis for Security

[Jason Ross <algorythm () gmail com>]

On Thu, Oct 29, 2009 at 10:34 AM, Maty Siman <maty () checkmarx com> wrote:
> This technical paper – with detailed code examples – from Checkmarx research
> labs, fills this gap and explains how developers, auditors and cloud
> platform providers benefit from the inherent advantages of true source code
> analysis tool.
>
> http://www.checkmarx.com/NewsDetails.aspx?id=27&cat=3
>
>
> Maty Siman, CISSP
> Founder, CTO
> Checkmarx Ltd.
> www.checkmarx.com


I was all set to call foul and shun this as spam but decided to give the
paper a look-through first. FWIW, while there's not a lot of real meat to
the doc, there's also no direct "buy our junk" either.

I do think the sample code is a bit unfair (eg. putting in non-compiling
code and claiming that because it doesn't compile it won't be analyzed
correctly. Since that same code would need to compile in order for the
app to be used, the bugs causing compilation to fail would be fixed, at
which point the binary analysis could resume.)

That said, I don't disagree with the premise: manual > automated, especially
in a maze of twisty passages, like source code analysis.

--
Jason

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------