Penetration Testing mailing list archives
Re: True Source Code Analysis for Security
From: John Kinsella <jlk () thrashyour com>
Date: Mon, 2 Nov 2009 17:36:11 -0800
Note to self: Always trust "white papers" that say things like "This is not a sales-pitch."
Maty, could you cite examples "many" vendors you're talking about? Otherwise this has little value and cannot be vetted.
Regarding your "Non Linking Code" example, there's a reason we want the libraries so we can accurately compile the code - with the code sample given, external libs could be filtering either user input or the sql statements.
I'm writing this as somebody who has used several major SCA tools - a quick glance of your company's site looks interesting, but right now I feel like I'm being marketed to.
John On Oct 29, 2009, at 8:34 AM, Maty Siman wrote:
Source Code Analysis has become the de facto choice to introduce securedevelopment as well as gauge inherent software risk.The irony is that source code analysis doesn‘t often look at the source at all. In fact, the majority of the products are using Binary analysis or byte-code analysis (BCA) created by the compiler. This method saves a great deal of effort when developing the analysis tools, but lowers drasticallythe usability and accuracy of the results.This technical paper – with detailed code examples – from Checkmarx researchlabs, fills this gap and explains how developers, auditors and cloudplatform providers benefit from the inherent advantages of true source codeanalysis tool. http://www.checkmarx.com/NewsDetails.aspx?id=27&cat=3 Maty Siman, CISSP Founder, CTO Checkmarx Ltd. www.checkmarx.com ------------------------------------------------------------------------This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- True Source Code Analysis for Security Maty Siman (Nov 02)
- Re: True Source Code Analysis for Security John Kinsella (Nov 04)
- Re: True Source Code Analysis for Security Jason Ross (Nov 04)
- Re: True Source Code Analysis for Security Jason Ross (Nov 04)
- Re: True Source Code Analysis for Security John Kinsella (Nov 04)