Secure Coding mailing list archives
Re: Comparing Scanning Tools (false positives)
From: info at secappdev.org (Johan Peeters)
Date: Tue, 13 Jun 2006 23:38:05 +0200
Crispin Cowan wrote:
David A. Wheeler wrote:Brian Chess (brian at fortifysoftware dot com) said:False positives: Nobody likes dealing with a pile of false positives, and we work hard to reduce false positives without giving up potentially exploitable vulnerabilities.I think everyone agrees that there are "way too many false positives" in the sense that "there are so many it's annoying and it costs money to check them out" in most of today's tools. But before you say "tools are useless" you have to ask, "compared to what?" Manual review can find all sorts of things, but manual review is likely to miss many serious problems too. ESPECIALLY if there are only a few manual reviewers for a large codebase, an all-too-common situation.I would like to introduce you to my new kick-ass scanning tool. You run it over your source code, and it only produces a single false-positive for you to check out. That false positive just happens to be the complete source code listing for your entire program :)
If you can guarantee it is a false positive, this is a very useful tool indeed :-) kr, Yo -- Johan Peeters program director http://www.secappdev.org +32 16 649000
Current thread:
- Re: Comparing Scanning Tools (false positives) David A. Wheeler (Jun 12)
- Re: Comparing Scanning Tools (false positives) Crispin Cowan (Jun 12)
- Re: Comparing Scanning Tools (false positives) Johan Peeters (Jun 13)
- Re: Comparing Scanning Tools (false positives) David A. Wheeler (Jun 13)
- Re: Comparing Scanning Tools (false positives) Johan Peeters (Jun 13)
- <Possible follow-ups>
- Re: Comparing Scanning Tools (false positives) Gary McGraw (Jun 12)
- Re: Comparing Scanning Tools (false positives) David A. Wheeler (Jun 13)
- Re: Comparing Scanning Tools (false positives) Crispin Cowan (Jun 12)