Guest editorial by Shyama Rose
December 1st, 2008
The market for the development and implementation of source code
analysis (static and dynamic) tools is swelling. Companies are
increasingly relying on source code analysis tools to identify
security-related vulnerabilities. The demand and reliance upon
sophisticated automated solutions is greater than the supply of quality
tools. Due to the underdevelopment and immature nature of tools and the
nature of the industry, the risk of highly complex vulnerabilities left
unidentified and unmitigated is high.
Code analysis tools should be used as guidelines or preliminary
benchmarks as opposed to definitive software security solutions.
The usefulness of analysis tools for augmenting security reviews is
undeniable. On large code bases it can reduce time investments. It
provides insight into the code analysis process and can be used as a
guide for reviewers. However, a negative trend is emerging where
enterprises are relying solely upon automated approaches to gain insight
into risk. This invokes a false sense of security as the relying party
is likely unaware of the deficiencies associated with security
guarantees that tools promote.
The deficiencies of analysis tools are well known and documented.
Current tools lack the ability to identify sophisticated bugs, and lean
towards identifying top level, common vulnerabilities. Regardless,
companies believe they provide a good-faith sense of security to their
products and customers. The infancy and lack of sophistication fall far
short of the analysis and the ability to provide context that a human
brain can generate. The most sophisticated of source code analysis tools
are signature based, focus on data and rarely address control flow, and
fail on frameworks.
Help InfoSecNews.org with a donation!