Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

IBM Acquires Ounce Labs, Inc.

From: coley at linus.mitre.org (Steven M. Christey)
Date: Wed, 5 Aug 2009 14:24:05 -0400 (EDT)

On Tue, 4 Aug 2009, Chris Wysopal wrote:


As a group of security practitioners it is amazing to me that we don't
have more quantifiable testing and tools/services are just dismissed
with anecdotal data.  I am glad NIST SATE '09 will soon be underway and,
at least for static analysis tools, we will have unbiased independent
testing. I am hoping for a big improvement over last year.  I especially
like the category they are using for some flaws found as "valid but
insignificant". Clearly they are improving based on feedback from SATE
'08.


By the way, I don't recall anybody mentioning this to SC-L before, but the
SATE 2008 writeup and raw data are available:

  http://samate.nist.gov/index.php/SATE.html

In the NIST pub we cover a lot of lessons learned, especially in my paper.

From the raw data you can see the complexities in doing this kind of

large-scale comparison.  In my opinion, our biggest limitation was not
using live tools.

- Steve
Previous By Date Next
Previous By Thread Next

Current thread: