Re: The Hope of Code Checkers

[Adam Shostack <[EMAIL PROTECTED]>]

On Thu, Apr 15, 2004 at 02:10:56PM -0700, David Fetrow wrote:
| On Thu, 15 Apr 2004, Adam Shostack wrote:
| 
| > Tools that examine code for things that can lead to
| > problems, (eg, RATS, ITS4, splint), and tools that break entire
| > classes of problem (stackgaurd, Sana, Okena and the like).
| >
| > (The code examining tools are the free, static code checkers.  There
| > are also dymanic testing tools from companies like spidynamics,
| > sanctum, and WhiteHat.)
| >
| > I think that as these code checking tools improve, we may see an
| > improvement in code quality that comes along with that.  Have you
| > asked your software vendor what they do to assure code quality lately?
| 
| 
|  I wouldn't get too optimistic. Running lint, splint (or even gcc with
|  -Wall) on C code you're using now in production can be a depressing
|  albeit eye opening exercise.
| 
|  Adjust tool and language names for your environment.
| 
|  But hey, lint has only been around for *** 30 years *** or so, maybe
|  the NEXT generation of coders will do the right thing.

Touche!  ;)

I think that the previous poster mentioned the economics of getting to
market first winning.  I hope that the pain of patch management can be
focused into customers asking vendors smarter questions about their
processes--which tools?  How good are your results? I think this is
not absurd because of the amount of time and money spent on patching,
and CIOs are asking "Why are we buying this crap?" and "Is there less
crappy software that would do this?"

Measuring your cost of patch management, downtime due to security
breaches, downtime due to patch conflicts, etc, can make a good
argument for spending time on due dilligencing the software.  I know
of at least three security vendors, post-Witty, who have gotten a
customer grilling on this subject.  I'm hoping its the start of a
trend.

Adam

---
To unsubscribe send a blank email to [EMAIL PROTECTED]