Secure Coding mailing list archives
What do you like better Web penetration testing or static code analysis?
From: neumann at csl.sri.com (Peter G. Neumann)
Date: Thu, 22 Apr 2010 10:57:51 PDT
Matt Parsons wrote:
What do you like doing better as application security professionals, web penetration testing or static code analysis?
McGovern, James F. (P+C Technology) wrote:
Should a security professional have a preference when both have different value propositions? While there is overlap, a static analysis tool can find things that pen testing tools cannot. Likewise, a pen test can report on secure applications deployed insecurely which is not visible to static analysis. So, the best answer is I prefer both...
Both is better than either one by itself, but I think Gary McGraw would resonate with my seemingly contrary answer: BOTH penetration testing AND static code analysis are still looking at the WRONG END of the horse AFTER it has left the DEVELOPMENT BARN. Gary and I and many others have for a very long time been advocated security architectures and development practices that greatly enhance INHERENT TRUSTWORTHINESS, long before anyone has to even think about penetration testing and static code analysis. This discussion is somewhat akin to arguments about who has the best malware detection. If system developers (past-Multics) had paid any attention to system architectures and sound system development practices, viruses and worms would be mostly a nonproblem! Please pardon my soapbox. The past survives. The archives have lives, not knives. High fives! (I strive to thrive with jive.) PGN
Current thread:
- What do you like better Web penetration testing or static code analysis? Peter G. Neumann (Apr 22)
- What do you like better Web penetration testing or static code analysis? Gary McGraw (Apr 22)
- What do you like better Web penetration testing or static code analysis? Matt Parsons (Apr 23)
- What do you like better Web penetration testing or static code analysis? Brian Chess (Apr 23)
- What do you like better Web penetration testing or static code analysis? Kevin W. Wall (Apr 24)
- What do you like better Web penetration testing or static code analysis? Arian J. Evans (Apr 24)
- Message not available
- [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis? Arian J. Evans (Apr 27)
- Message not available
- [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis? Arian J. Evans (Apr 27)
- Message not available
- Message not available
- Message not available
- Message not available
- [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis? Matt Parsons (Apr 27)
- What do you like better Web penetration testing or static code analysis? Matt Parsons (Apr 23)
- What do you like better Web penetration testing or static code analysis? Gary McGraw (Apr 22)
- Message not available
- Message not available
- Message not available
- Message not available
- [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis? Sebastian Schinzel (Apr 28)
- [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis? Greg Beeley (May 05)