Re: Comparing Scanning Tools (false positives)

[info at secappdev.org (Johan Peeters)]

Crispin Cowan wrote:
> David A. Wheeler wrote:
>
> > Brian Chess (brian at fortifysoftware dot com) said:
> >
> > > False positives:
> > > Nobody likes dealing with a pile of false positives, and we work hard to
> > > reduce false positives without giving up potentially exploitable
> > > vulnerabilities.
> >
> > I think everyone agrees that there are "way too many false positives"
> > in the sense that "there are so many it's annoying and it costs money
> > to check them out" in most of today's tools.
> >
> > But before you say "tools are useless" you have to ask, "compared to
> > what?"
> > Manual review can find all sorts of things, but manual review is likely
> > to miss many serious problems too.  ESPECIALLY if there are only a
> > few manual reviewers for a large codebase, an all-too-common situation.
>
> I would like to introduce you to my new kick-ass scanning tool. You run
> it over your source code, and it only produces a single false-positive
> for you to check out. That false positive just happens to be the
> complete source code listing for your entire program :)

If you can guarantee it is a false positive, this is a very useful tool 
indeed :-)

kr,

Yo

-- 
Johan Peeters
program director
http://www.secappdev.org
+32 16 649000