What do you like better Web penetration testing or static code analysis?

[cwysopal at veracode.com (Chris Wysopal)]

Most software security people that I talk to that advocate static analysis and pen testing see it as one part of the 
overall solution.  It is a part of the solution that software producers can get started on rather easily to open their 
eyes that they need secure architectures and better development practices.  

The biggest problem I face when dealing with our customers is the developers already think they have written secure 
code.  It is only after you demonstrate on their own code that they have exploitable vulnerabilities will anything be 
done to remedy the situation.  This is why static analysis and pen testing are an important part of driving software 
security to the masses of developers.

-Chris


-----Original Message-----
From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Gary McGraw
Sent: Thursday, April 22, 2010 3:15 PM
To: Peter Neumann; Secure Code Mailing List
Subject: Re: [SC-L] What do you like better Web penetration testing or static code analysis?

I hereby resonate with my esteemed colleague and mentor pgn.  But no puns from me.

gem


On 4/22/10 1:57 PM, "Peter Neumann" <neumann at csl.sri.com> wrote:



Matt Parsons wrote:
> What do you like doing better as application security professionals, web
> penetration testing or static code analysis?

McGovern, James F. (P+C Technology) wrote:
> Should a security professional have a preference when both have
> different value propositions? While there is overlap, a static analysis
> tool can find things that pen testing tools cannot. Likewise, a pen test
> can report on secure applications deployed insecurely which is not
> visible to static analysis.
>
> So, the best answer is I prefer both...

Both is better than either one by itself, but I think Gary McGraw
would resonate with my seemingly contrary answer:

  BOTH penetration testing AND static code analysis are still looking
  at the WRONG END of the horse AFTER it has left the DEVELOPMENT BARN.
  Gary and I and many others have for a very long time been advocated
  security architectures and development practices that greatly enhance
  INHERENT TRUSTWORTHINESS, long before anyone has to even think about
  penetration testing and static code analysis.

  This discussion is somewhat akin to arguments about who has the best
  malware detection.  If system developers (past-Multics) had paid any
  attention to system architectures and sound system development
  practices, viruses and worms would be mostly a nonproblem!

  Please pardon my soapbox.

    The past survives.
    The archives
    have lives,
    not knives.
    High fives!

    (I strive
    to thrive
    with jive.)

PGN
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________


_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________