Penetration Testing mailing list archives
Re: Fwd: Re: tools to scan source code
From: Nicolas RUFF <nicolas.ruff () gmail com>
Date: Thu, 14 Sep 2006 10:10:20 +0200
Static parsers do not find security flaws (security defects in architecture and design) that can only be found with manual secure code reviews and secure architecture design review.
Hello,
Static analysis is very good at finding "mathematically provable" flaws
(ie. writing at offset 11 of a 10-element array).
However I do not know any analyzer of any kind that would raise an alarm
on a trivial backdoor such as hardcoded username/password ...
I am not even sure this is mathematically feasible ...
Conclusion : tools are *very* useful (especially code browsing tools),
but manual auditing can still find bugs that nothing else ever could.
Regards
- Nicolas RUFF
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
Current thread:
- RE: tools to scan source code, (continued)
- RE: tools to scan source code Nish Bhalla (Sep 11)
- Re: tools to scan source code Joachim Schipper (Sep 11)
- Re: tools to scan source code Hylton Conacher(ZR1HPC) (Sep 12)
- Re: tools to scan source code Benny Herlambang (Sep 12)
- RE: tools to scan source code Lisa Foster (Sep 13)
- RE: tools to scan source code andy cuff (Sep 14)
- RE: tools to scan source code Ric Messier (Sep 14)
- RE: tools to scan source code Clemens, Dan (Sep 14)
- RE: tools to scan source code Lisa Foster (Sep 13)
- Fwd: Re: tools to scan source code marco () cerbtech net (Sep 12)
- RE: Fwd: Re: tools to scan source code ankur jindal (Sep 13)
- Re: Fwd: Re: tools to scan source code Nicolas RUFF (Sep 14)
- RE: Fwd: Re: tools to scan source code ankur jindal (Sep 13)