Zero tolerance for bugs
By Deb Radcliff
August 1, 2008 —
(Page 1 of 5)
If you’re in the business of developing high-assurance programs, any bug is a bad bug, says Phyllis Schneck, vice president of research integration at Secure Computing Corp.
“It’s no longer like the old days, when I was reviewing FAA code and we just had to be sure the application worked,” notes Schneck, former chairman of the national board of FBI InfraGard, a public-private infrastructure protection partnership. “Nowadays, everyone is equally worried about security defects, particularly as software code runs more and more of our infrastructure.”
As risks have increased, traditional bug-finding tools have risen to meet new security challenges. This is particularly true with static analysis testers, which can scream through a million lines of code in 90 minutes and tell developers not only what is wrong with the code, but also explain the security risk and the fix, as well as track repairs.
“Once a developer starts using static analysis tools, that developer won’t be able to imagine life without them,” says Theresa Lanowitz, founder and CEO of analyst firm Voke. “As a result of using the tools, coding gets better over time, and they save money by making the repairs before the code goes into release, instead of finding them after.”
Despite such enthusiasm, today’s static analysis tools aren’t perfect. They rely on a database of known “signatures” of security-related bugs, so they are prone to the same false positive vs. false negative trade-off you would see in other signature-based technologies like intrusion detection. Nor are they a replacement for dynamic testing, also known as vulnerability analysis of an active application, and so many vendor offerings consist of both static and dynamic testing options.
The other issue is that tools are all over the map—command line freeware, system-based tools (such as Microsoft’s Static Driver Verifier, which looks at drivers), and commercial tools that cover specific languages and platforms to varying degrees. In addition, there are services like Cigital (with 100 employees using a variety of analysis tools) and Veracode, which is a service that scans binary output rather than source code. Most other static analysis tools can scan the latter.
Related Search Term(s): Security, testing & troubleshooting, Coverity
Share this link: http://sdt.bz/32548
Most Read Latest News Blog Resources
Android is the focus of two new design tools
Anywhere Software and Xamarin provide ways for developers to create and test their applications on PCs
|
|
LEADTOOLS HTML5 add-on modules released
Including New HTML5 Zero Footprint Viewer, JavaScript Libraries and RESTful Web Services for Document and Medical SDKs
|
|
How to speed up your Cukes
Using a five-step process derived from Six Sigma, Cucumber tests can go much faster
|
|
WhiteSource offers open-source license management as a service
Software gives companies insight into the open-source components in products
|
SmartBear rolls out new quality solution: API Complete
Software gives organizations ability to write test scripts and monitor APIs by bridging the DevOps divide
|
|
Android is the focus of two new design tools
Anywhere Software and Xamarin provide ways for developers to create and test their applications on PCs
|
|
WhiteSource offers open-source license management as a service
Software gives companies insight into the open-source components in products
|
|
Top five devices you can integrate with your applications
A five-fingered list of common, household items with which you can talk to (via software, of course)
|
Slick...but who needs it?
compilr.com is a well-designed site and the folks behind it seem to have their heart in the right place. But...who needs it?
|
|
How to be a better software developer
Want to be a better developer? You won't get there by mastering an interesting language or learning a new set of APIs.
|
|
Wooing Galatea
Do yourself a favor and check out Galatea 2.2, a wonderful book by novelist Richard Powers.
|
|
The world as story
An artificial-intelligence system at Carnegie Mellon seeks to understand the world by making statements about it.
|
Five SCM Best Practices
Two-thirds of all software projects fail, according to the Standish Group’s CHAOS study. Improper usage of software configuration management...
|
|
|
Best Practices for Branching and Merging Patterns
Development teams often create a branching pattern, usually drawn out on a white board or in a Visio document, that is used as a model to...
|
|
Automated Error Reporting
We invite you to read a short e-zine that tells you all about automated error reporting for .NET applications. This 8-page e-zine is packed...
|
|
The End of Application Redeploys
Imagine that every time you wanted to write, send or receive an email, you needed to restart your computer. How much time would this take, a...
|