From: Nicolas RUFF (nicolas.ruff@gmail.com)
Date: Thu Sep 14 2006 - 04:10:20 EDT
> Static parsers do not find security flaws (security defects in
> architecture and
> design) that can only be found with manual secure code reviews and
> secure architecture
> design review.
Hello,
Static analysis is very good at finding "mathematically provable" flaws
(ie. writing at offset 11 of a 10-element array).
However I do not know any analyzer of any kind that would raise an alarm
on a trivial backdoor such as hardcoded username/password ...
I am not even sure this is mathematically feasible ...
Conclusion : tools are *very* useful (especially code browsing tools),
but manual auditing can still find bugs that nothing else ever could.
Regards
- Nicolas RUFF
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:56 EDT