Zero tolerance for bugs
By Deb Radcliff
August 1, 2008 —
(Page 1 of 5)
If you’re in the business of developing high-assurance programs, any bug is a bad bug, says Phyllis Schneck, vice president of research integration at Secure Computing Corp.
“It’s no longer like the old days, when I was reviewing FAA code and we just had to be sure the application worked,” notes Schneck, former chairman of the national board of FBI InfraGard, a public-private infrastructure protection partnership. “Nowadays, everyone is equally worried about security defects, particularly as software code runs more and more of our infrastructure.”
As risks have increased, traditional bug-finding tools have risen to meet new security challenges. This is particularly true with static analysis testers, which can scream through a million lines of code in 90 minutes and tell developers not only what is wrong with the code, but also explain the security risk and the fix, as well as track repairs.
“Once a developer starts using static analysis tools, that developer won’t be able to imagine life without them,” says Theresa Lanowitz, founder and CEO of analyst firm Voke. “As a result of using the tools, coding gets better over time, and they save money by making the repairs before the code goes into release, instead of finding them after.”
Despite such enthusiasm, today’s static analysis tools aren’t perfect. They rely on a database of known “signatures” of security-related bugs, so they are prone to the same false positive vs. false negative trade-off you would see in other signature-based technologies like intrusion detection. Nor are they a replacement for dynamic testing, also known as vulnerability analysis of an active application, and so many vendor offerings consist of both static and dynamic testing options.
The other issue is that tools are all over the map—command line freeware, system-based tools (such as Microsoft’s Static Driver Verifier, which looks at drivers), and commercial tools that cover specific languages and platforms to varying degrees. In addition, there are services like Cigital (with 100 employees using a variety of analysis tools) and Veracode, which is a service that scans binary output rather than source code. Most other static analysis tools can scan the latter.
Related Search Term(s): Security, testing & troubleshooting, Coverity
Share this link: http://sdt.bz/32548
Most Read Latest News Blog Resources
Zeichick’s Take: Radio moves from analog waveforms to digital packets
Streaming radio highlights the need for streaming applications to be designed to take up as little bandwidth as possible
|
|
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Appcelerator Acquires Cocoafish to Add Instant Mobile Cloud Capabilities to its Industry Leading Titanium Platform
Appcelerator Offers Messaging, Social, Location and Storage Mobile Cloud Services to All Mobile App Publishers
|
|
ComponentOne Releases a Collection of 40+ UI Widgets Powered by HTML5 and jQuery
ComponentOne has announced the 2012 release of Wijmo: a kit of UI widgets for HTML5 and jQuery development
|
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists
|
|
Not so fast when it comes to testing in the cloud
Developers face outsourcing, virtual lab management and mobile devices as obstacles
|
|
Xceed releases UX-focused suite for Microsoft’s WPF
"Blendables" helps match user experiences to developer visions
|
Are you at risk for burnout?
Burnout is a severe problem and it can strike at any time. Here's how to tell if you are nearing the edge.
|
|
Agility, mom, and apple pie
If we're to evaluate the state-of-the-art in software development, we should start with the values espoused in the Agile Manifesto.
|
|
RIM woos developers with free tablet
How do you get more apps ported to the BlackBerry PlayBook? By giving every developer a free tablet, of course!
|
|
GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.
|
The Hidden Costs of Software Licensing
Moving beyond paper-based software licensing to more flexible, software-based licensing is a business decision. There is a growing trend tow...
|
|
Case Study: You May Need a Development Mechanic
As a contractor for a major financial player in Germany, SOBEGE, a German-based consultancy specializing in embedded IT and web services, wa...
|
|
Ensuring Software Quality at a Major International Bank
One of the world’s leading international banks has adopted AgitarOne technology for delivering generated unit tests for their Java software...
|
|
Load Testing Adobe Flex Applications
Adobe Flex applications may be different from applications you’ve worked with before. For classic HTML web applications, the server does all...
|