[WEB SECURITY] Static Code Analysis... Problem/Solution

Rafal @ IsHackingYou rafal at ishackingyou.com
Sun May 18 23:49:30 EDT 2008

Hey readers -

    I've been researching the topic of Web App Sec "Whitebox" testing and have seen some significant failures and problems with the general concept in modern implementations.  That being said, I've written a 2-part series of articles that I thought I would ask for the community's response on.  Given that the first "problems" article has gotten some decent response I posted the follow-up tonight... if you have a minute and would like to provide me some feedback, please give this a read.

    Quick disclaimer, I work for HP ASC so the view in the "solution" is obviously working off of the technology advancements we're implementing (that being said, it's *not* a product plug, I promise).  Obviously the opinion here is mine, and no one else's... except where quoted.

    Again, I appreciate everyone's constructive feedback and welcome any discourse on the topic.  I honestly don't think we're giving this topic enough attention and hopefully this shines a spotlight.

Part 1
Static Code Analysis Failures

Part 2
Hybrid Analysis - The Answer to Static Code Analysis Shortcomings 


Rafal (Ralph) M. Los
IT Security - Response | Mitigation | Strategy

E-mail:  rafal at ishackingyou dot com
 - gPGP:    0xFFC63B33
 - Blog:    http://preachsecurity.blogspot.com
 - Blog:    http://portal.spidynamics.com/blogs/rafal/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080518/614b2ce3/attachment.html>

More information about the websecurity mailing list