Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

What do you like better Web penetration testing or static code analysis?

From: neumann at csl.sri.com (Peter G. Neumann)
Date: Thu, 22 Apr 2010 10:57:51 PDT

Matt Parsons wrote:

What do you like doing better as application security professionals, web
penetration testing or static code analysis?


McGovern, James F. (P+C Technology) wrote:

Should a security professional have a preference when both have
different value propositions? While there is overlap, a static analysis
tool can find things that pen testing tools cannot. Likewise, a pen test
can report on secure applications deployed insecurely which is not
visible to static analysis.

So, the best answer is I prefer both...


Both is better than either one by itself, but I think Gary McGraw
would resonate with my seemingly contrary answer:

  BOTH penetration testing AND static code analysis are still looking
  at the WRONG END of the horse AFTER it has left the DEVELOPMENT BARN.
  Gary and I and many others have for a very long time been advocated
  security architectures and development practices that greatly enhance
  INHERENT TRUSTWORTHINESS, long before anyone has to even think about
  penetration testing and static code analysis.  

  This discussion is somewhat akin to arguments about who has the best
  malware detection.  If system developers (past-Multics) had paid any
  attention to system architectures and sound system development 
  practices, viruses and worms would be mostly a nonproblem!

  Please pardon my soapbox.

    The past survives.
    The archives 
    have lives,
    not knives.
    High fives!

    (I strive
    to thrive
    with jive.)

PGN
Previous By Date Next
Previous By Thread Next

Current thread: