True Source Code Analysis for Security

Source Code Analysis has become the de facto choice to introduce secure
development as well as gauge inherent software risk.
The irony is that source code analysis doesn‘t often look at the source at
all. In fact, the majority of the products are using Binary analysis or
byte-code analysis (BCA) created by the compiler. This method saves a great
deal of effort when developing the analysis tools, but lowers drastically
the usability and accuracy of the results.

This technical paper – with detailed code examples – from Checkmarx research
labs, fills this gap and explains how developers, auditors and cloud
platform providers benefit from the inherent advantages of true source code
analysis tool.

http://www.checkmarx.com/NewsDetails.aspx?id=27&cat=3


Maty Siman, CISSP
Founder, CTO
Checkmarx Ltd.
www.checkmarx.com 









------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Note to self: Always trust "white papers" that say things like "This  
is not a sales-pitch."

Maty, could you cite examples "many" vendors you're talking about?  
Otherwise this has little value and cannot be vetted.

Regarding your "Non Linking Code" example, there's a reason we want  
the libraries so we can accurately compile the code - with the code  
sample given, external libs could be filtering either user input or  
the sql statements.

I'm writing this as somebody who has used several major SCA tools - a  
quick glance of your company's site looks interesting, but right now I  
feel like I'm being marketed to.

John

On Oct 29, 2009, at 8:34 AM, Maty Siman wrote:


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

On Thu, Oct 29, 2009 at 10:34 AM, Maty Siman <maty@...> wrote:

I was all set to call foul and shun this as spam but decided to give the
paper a look-through first. FWIW, while there's not a lot of real meat to
the doc, there's also no direct "buy our junk" either.

I do think the sample code is a bit unfair (eg. putting in non-compiling
code and claiming that because it doesn't compile it won't be analyzed
correctly. Since that same code would need to compile in order for the
app to be used, the bugs causing compilation to fail would be fixed, at
which point the binary analysis could resume.)

That said, I don't disagree with the premise: manual > automated, especially
in a maze of twisty passages, like source code analysis.

--
Jason

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

On Mon, Nov 2, 2009 at 8:36 PM, John Kinsella <jlk@...> wrote:
> I'm writing this as somebody who has used several major SCA tools - a quick
> glance of your company's site looks interesting, but right now I feel like
> I'm being marketed to.

Agreed, it feels "slimy". That was my first reaction to this thread as well.
But then I tried to identify what exactly it was that cause me to feel that way.

   * The white paper itself doesn't try to market their product that I
could see.
   * The web site it's available from doesn't require an email address or any
      other form of information before allowing you to download the document.
   * The original post does not attempt to specifically peddle any product.

I don't think there's anything wrong with a company putting out a technical
white paper that describes an issue as long as they aren't using it to
tout their
specific product. (that's what the marketing white papers are for IMO).

I also don't think there's anything wrong with that company sending an email to
a relevant list stating that they have such a paper available,
particularly if there's
no information required to obtain it (which always turns me off as a
marketing ploy
to build 'potential customer' databases).

So, I was left to conclude that really, the only reason I felt this
was marketing was
because the original message came from the founder of the company that presented
the paper and not some tech grunt within it.

For me, that was unfair, and is why I posted my original message about this.

That aside, as I mentioned in my post, and as you also pointed out in
yours, I'm not
sure that all of the arguments given in the doc are well founded.

--
Jason

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------