logo

  •   Submit to to del.icio.us   Submit to to digg   submit to to reddit   submit to to StumbleUpon   submit to to Google   Submit to to Yahoo!

Category: news | Posted by Avatar Staff 35 days ago
Via: http://lists.jammed.com | Tags: isn dumbing down security profession comments Discuss  






From: InfoSec News <alerts_at_private>




Date: Wed, 3 Dec 2008 01:39:58 -0600 (CST)






http://blogs.zdnet.com/security/?p=2234



Guest editorial by Shyama Rose

Zero Day

December 1st, 2008 



The market for the development and implementation of source code 

analysis (static and dynamic) tools is swelling. Companies are 

increasingly relying on source code analysis tools to identify 

security-related vulnerabilities. The demand and reliance upon 

sophisticated automated solutions is greater than the supply of quality 

tools. Due to the underdevelopment and immature nature of tools and the 

nature of the industry, the risk of highly complex vulnerabilities left 

unidentified and unmitigated is high.



Code analysis tools should be used as guidelines or preliminary 

benchmarks as opposed to definitive software security solutions.



The usefulness of analysis tools for augmenting security reviews is 

undeniable. On large code bases it can reduce time investments. It 

provides insight into the code analysis process and can be used as a 

guide for reviewers. However, a negative trend is emerging where 

enterprises are relying solely upon automated approaches to gain insight 

into risk. This invokes a false sense of security as the relying party 

is likely unaware of the deficiencies associated with security 

guarantees that tools promote.



The deficiencies of analysis tools are well known and documented. 

Current tools lack the ability to identify sophisticated bugs, and lean 

towards identifying top level, common vulnerabilities. Regardless, 

companies believe they provide a good-faith sense of security to their 

products and customers. The infancy and lack of sophistication fall far 

short of the analysis and the ability to provide context that a human 

brain can generate. The most sophisticated of source code analysis tools 

are signature based, focus on data and rarely address control flow, and 

fail on frameworks.



[...]





_______________________________________________      

Help InfoSecNews.org with a donation!

http://www.infosecnews.org/donate.html



Received on Tue Dec 02 2008 - 23:39:58 PST
addto Add this link to... report Bury 


Comments Who Voted Related Links
Copyright 2005-2008 Best of Security