Dailydave mailing list archives

Re: The Static Analysis Market and You

From: "Dave Korn" <dave.korn () artimi com>
Date: Tue, 14 Oct 2008 19:25:13 +0100

Dave Aitel wrote on 14 October 2008 15:53:

 One
possibility is that more research dollars will flood into the space
and the technology will get better and live up to its marketing.
Another possibility is that no matter how much you spend, pure static
analysis can't do the things you want it to do (the IBM and to some
extent Fortify bet).

Which is it?


  You really asking, or is that just rhetorical?  It's blatantly option B.

  If your code compiles without warnings and lint errors, you've probably
already got 99% of what these tools can do for you, for free.  And the other
1% is the stuff that needs a skilled human being to look at it, anyway; until
we get a real AI working on it, none of this stuff is a great deal more subtle
than "grep -R strcpy *".

[1] http://www.armorize.com/corpweb/en/products/codesecure


  Had to read the source just to even get a look at that one, and found a bit
that made me LOLWTF:

        </table>
<script>
        //var path = '../';

        //for(i=1; i<level; i++) path = path + "../";
        //for(j=1; j<10; j++) document.getElementById('img'+j).src = path +
'imgs/list2.jpg';
        //alert('http://www.armorize.com/corpweb&apos;);
        /*var app=navigator.appName.substring(0,1);
        if(app=='M')
        {
                for(k=1; k<10; k++)
                {
                        document.getElementById('link'+k).href = path +
document.getElementById('link'+k).getAttribute('href');
                }
                alert(document.getElementById('link1').href);
        }
        else
        {
                for(k=1; k<10; k++) document.getElementById('link'+k).href =
path + document.getElementById('link'+k).getAttribute('href');
        }*/
</script>


  Heh.  Disabled now, but it really does look a lot like at some point
somebody had never heard of absolute paths ...


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

The Static Analysis Market and You Dave Aitel (Oct 14)
- Re: The Static Analysis Market and You Dave Korn (Oct 14)
- Re: The Static Analysis Market and You Andy Steingruebl (Oct 14)
- Re: The Static Analysis Market and You Steve Shockley (Oct 14)
- Re: The Static Analysis Market and You Dave Hull (Oct 15)
- <Possible follow-ups>
- Re: The Static Analysis Market and You Steven M. Christey (Oct 17)