Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Coverity

From: Michael Williamson <mwilliamson () falcon tamucc edu>
Date: Tue, 14 Mar 2006 09:57:57 -0600
I'm sorry, but relying on some statistical analysis tool to "certify
code" is utter bullshit.  Sure, this thing is useful in finding bonehead
mistakes and certainly is a worthy tool, but code that passes cannot be
considered defect free.  This leads to a serious false sense of
security...and a sense of security Coverity is happy to take your money
to give you.  I really suspect that path following statistical analysis
tools are generally worthless in finding logic errors, and logic errors
lead to security problems just as overflows/underruns/pointer mishaps. 

I'm not saying Coverity is snake oil, on the contrary it's a useful too,
but users of it shouldn't make into more than it is. 


-- 
Michael Williamson <mwilliamson () falcon tamucc edu>

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: