NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Immunitysec Daily Dave> 2008-q4

Re: [Dailydave] The Static Analysis Market and You

From: Dave Korn (dave.kornartimi.com)
Date: Tue Oct 14 2008 - 13:25:13 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dave Aitel wrote on 14 October 2008 15:53:

> One
> possibility is that more research dollars will flood into the space
> and the technology will get better and live up to its marketing.
> Another possibility is that no matter how much you spend, pure static
> analysis can't do the things you want it to do (the IBM and to some
> extent Fortify bet).
>
> Which is it?

You really asking, or is that just rhetorical? It's blatantly option B.

If your code compiles without warnings and lint errors, you've probably
already got 99% of what these tools can do for you, for free. And the other
1% is the stuff that needs a skilled human being to look at it, anyway; until
we get a real AI working on it, none of this stuff is a great deal more subtle
than "grep -R strcpy *".

> [1] http://www.armorize.com/corpweb/en/products/codesecure

Had to read the source just to even get a look at that one, and found a bit
that made me LOLWTF:

</table>
<script>
//var path = '../';

        //for(i=1; i<level; i++) path = path + "../";
        //for(j=1; j<10; j++) document.getElementById('img'+j).src = path +
'imgs/list2.jpg';
        //alert('http://www.armorize.com/corpweb');
        /*var app=navigator.appName.substring(0,1);
        if(app=='M')
        {
                for(k=1; k<10; k++)
                {
                        document.getElementById('link'+k).href = path +
document.getElementById('link'+k).getAttribute('href');
                }
                alert(document.getElementById('link1').href);
        }
        else
        {
                for(k=1; k<10; k++) document.getElementById('link'+k).href =
path + document.getElementById('link'+k).getAttribute('href');
        }*/
</script>

Heh. Disabled now, but it really does look a lot like at some point
somebody had never heard of absolute paths ...

cheers,
DaveK
--
Can't think of a witty .sigline today....

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]