Zero tolerance for bugs
By Deb Radcliff
August 1, 2008 —
(Page 1 of 5)
If you’re in the business of developing high-assurance programs, any bug is a bad bug, says Phyllis Schneck, vice president of research integration at Secure Computing Corp.
“It’s no longer like the old days, when I was reviewing FAA code and we just had to be sure the application worked,” notes Schneck, former chairman of the national board of FBI InfraGard, a public-private infrastructure protection partnership. “Nowadays, everyone is equally worried about security defects, particularly as software code runs more and more of our infrastructure.”
As risks have increased, traditional bug-finding tools have risen to meet new security challenges. This is particularly true with static analysis testers, which can scream through a million lines of code in 90 minutes and tell developers not only what is wrong with the code, but also explain the security risk and the fix, as well as track repairs.
“Once a developer starts using static analysis tools, that developer won’t be able to imagine life without them,” says Theresa Lanowitz, founder and CEO of analyst firm Voke. “As a result of using the tools, coding gets better over time, and they save money by making the repairs before the code goes into release, instead of finding them after.”
Despite such enthusiasm, today’s static analysis tools aren’t perfect. They rely on a database of known “signatures” of security-related bugs, so they are prone to the same false positive vs. false negative trade-off you would see in other signature-based technologies like intrusion detection. Nor are they a replacement for dynamic testing, also known as vulnerability analysis of an active application, and so many vendor offerings consist of both static and dynamic testing options.
The other issue is that tools are all over the map—command line freeware, system-based tools (such as Microsoft’s Static Driver Verifier, which looks at drivers), and commercial tools that cover specific languages and platforms to varying degrees. In addition, there are services like Cigital (with 100 employees using a variety of analysis tools) and Veracode, which is a service that scans binary output rather than source code. Most other static analysis tools can scan the latter.
Related Search Term(s): Security, testing & troubleshooting, Coverity
Share this link: http://sdt.bz/32548
Most Read Latest News Blog Resources
Magic announces the release of its revolutionary mobile offering for the development of business applications, with new native clients for iOS and Android platforms
Magic announced today the availability of native iOS and Android clients for its mobile enterprise application platform
|
|
Virtualization: Not just for machines anymore
Network virtualization allows multi-tiered applications to behave as though they were in a physical network
|
|
Achievements and learning: Gamification comes to businesses and schools
Startup takes page from gamers by offering achievement marks to get developers more engaged in their projects
|
|
Zeichick’s Take: The handheld and the tablet, circa 1976
Texas Instruments' and Hewlett-Packard's calculators were doing things decades ago we take for granted today
|
Virtualization: Not just for machines anymore
Network virtualization allows multi-tiered applications to behave as though they were in a physical network
|
|
Achievements and learning: Gamification comes to businesses and schools
Startup takes page from gamers by offering achievement marks to get developers more engaged in their projects
|
|
Google talks tools at AnDevCon III
New 3D debugging tool and recent ADK changes are detailed by Google developers at the third Android Developer Conference
|
|
SmartBear rolls out new quality solution: API Complete
Software gives organizations ability to write test scripts and monitor APIs by bridging the DevOps divide
|
Creation
To write better software, cultivate your ability to be creative.
|
|
Slick...but who needs it?
compilr.com is a well-designed site and the folks behind it seem to have their heart in the right place. But...who needs it?
|
|
How to be a better software developer
Want to be a better developer? You won't get there by mastering an interesting language or learning a new set of APIs.
|
|
Wooing Galatea
Do yourself a favor and check out Galatea 2.2, a wonderful book by novelist Richard Powers.
|
Five SCM Best Practices
Two-thirds of all software projects fail, according to the Standish Group’s CHAOS study. Improper usage of software configuration management...
|
|
|
Best Practices for Branching and Merging Patterns
Development teams often create a branching pattern, usually drawn out on a white board or in a Visio document, that is used as a model to...
|
|
Automated Error Reporting
We invite you to read a short e-zine that tells you all about automated error reporting for .NET applications. This 8-page e-zine is packed...
|
|
The End of Application Redeploys
Imagine that every time you wanted to write, send or receive an email, you needed to restart your computer. How much time would this take, a...
|