Re: True Source Code Analysis for Security



On Thu, Oct 29, 2009 at 10:34 AM, Maty Siman <maty@xxxxxxxxxxxxx> wrote:
This technical paper – with detailed code examples – from Checkmarx research
labs, fills this gap and explains how developers, auditors and cloud
platform providers benefit from the inherent advantages of true source code
analysis tool.

http://www.checkmarx.com/NewsDetails.aspx?id=27&cat=3


Maty Siman, CISSP
Founder, CTO
Checkmarx Ltd.
www.checkmarx.com


I was all set to call foul and shun this as spam but decided to give the
paper a look-through first. FWIW, while there's not a lot of real meat to
the doc, there's also no direct "buy our junk" either.

I do think the sample code is a bit unfair (eg. putting in non-compiling
code and claiming that because it doesn't compile it won't be analyzed
correctly. Since that same code would need to compile in order for the
app to be used, the bugs causing compilation to fail would be fixed, at
which point the binary analysis could resume.)

That said, I don't disagree with the premise: manual > automated, especially
in a maze of twisty passages, like source code analysis.

--
Jason

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: C++/TCL Need Solution to Compile Error c2784
    ... There's always the "Platform SDK" from MSDN if you need the window.h stuff, ... Since I'm using the Command Prompt rather than the GUI to compile the ... I then tried to compile your source code and I kept getting the same ...
    (comp.lang.tcl)
  • Re: Debugging Newbie Question
    ... The CLR does not understand this source code and so before it ... ASP.NET, however, ASP.NET will compile your page's source code and cache ... the debugger will have IL and x86 created from ... in release mode assemblies. ...
    (microsoft.public.dotnet.faqs)
  • Re: Debugging Newbie Question
    ... The CLR does not understand this source code and so before it ... ASP.NET will compile your page's source code and cache the result ... > does this so that a debugger can attach to the code and allow you to step ... > release mode assemblies. ...
    (microsoft.public.dotnet.faqs)
  • The curse of constant fields
    ... feature in the Java language, and decided to write up about it. ... in a class, compile the changed class, and run the code manually to ... A quick search through the source code shows that there is no other ... This is true even if the usage itself is not ...
    (comp.lang.java.programmer)
  • Re: creaping coupling......
    ... In C++ it would be trivial to break that source code dependency, ... When you compile a .java module, ... In Java and C# it's asserted at compile time. ...
    (comp.object)