Secure Coding mailing list archives

Really dumb questions?

From: brian at fortifysoftware.com (Brian Chess)
Date: Thu, 30 Aug 2007 14:24:41 -0700

- So when a vendor says that they are focused on quality and not
security, and vice versa what exactly does this mean?


We spend most of Chapter 2 of Secure Programming with Static Analysis
describing the different problems that static analysis tools try to solve,
and we show where we think all of the companies you mention (plus a lot of
others) fit in.  The relative importance of false positives vs false
negatives is one important difference, but so is extensibility, rule set (as
John mentioned), ability of the tool to prioritize its findings, and the
interface the tool presents for exploring the results.  From my experience,
the vendors do different things in all of these areas, and these differences
aren't just a result of dumb luck.  They stem from different philosophies
about what the tools are supposed to do.  "Quality vs. Security" may be an
oversimplification, but the differences between the tools are much more than
cosmetic.

- Is it reasonable to expect that all of the vendors in this space will
have the ability to support COBOL, Ruby and Smalltalk sometime next year
so that customers don't have to specifically request it?


I don't think so.  The way a tool is designed can make it easier or harder
to add support for a new language, but unless you're doing a really
superficial analysis, adding a new language is always a big deal. Supporting
a language requires more than just being able to parse it.  The tools often
have to do special work to make sure that the meaning of common idioms
carries over correctly in the analysis, then there's the small matter of
developing a rule set.

Someone mentioned that Ruby makes life hard because it lacks static types.
While that's true, it compensates in other ways.  For example, because of a
lack of static types, there are often more bugs to find.  There's some
really good academic work going on right now around security analysis of
scripting languages (mostly PHP).  Here's my pick of the week:

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities
by Gary Wassermann and Zhendong Su
http://wwwcsif.cs.ucdavis.edu/~wassermg/research/pldi07.pdf


Regards,
Brian

Current thread:

Really dumb questions? Brian Chess (Aug 30)
- Two Questions around Consulting on Secure Coding McGovern, James F (HTSC, IT) (Sep 05)
- Question on the importance of secure coding McGovern, James F (HTSC, IT) (Sep 07)