[WEB SECURITY] Static code analyzers
John Johnson
john_johnson89 at hotmail.com
Wed Jan 14 17:00:14 EST 2009
Another key factor involved in "best" might be is what the tool will find. The vendors is this space have introduced support for languages at different times, and have put different levels of effort into the depth with which the research the threat landscape and to what degree the markup the API in their security rules knowledgebase(s). For example at one snapshot in time tool A may scan .Net code but find a limited number of real issues and a high number of FP's, while tool B may have gone deeper and done a better job. Then with a different language that may be reversed.
The best way to really know if to do simple testing on sample code.
Date: Wed, 14 Jan 2009 21:33:48 +0000From: connectjunkie at gmail.comTo: websecurity at webappsec.orgSubject: Re: [WEB SECURITY] Static code analyzersDefine “better”. Are you looking at usage scenario (i.e. Integrates into more Visual Studio versions, integrates into Team Studio etc), more security bugs found (will depend on people’s experiences and code), runs faster, uses less memory, is cheaper/better value etc etc etc Also, are you looking at commercial, or freely available solutions?On 14/01/2009 21:10, "Michael Williams" <mw7301 at hotmail.com> wrote:
I was wondering do any of you have a feel for which static code analyzer does a better job with C# source code? From my research it looks to me like some of the products seem to do better with Java than C++ or vice versa for example so I was wondering which one seemed to do C# the best.
_________________________________________________________________
Windows Live™: Keep your life in sync.
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090114/b47f11b1/attachment.html>
More information about the websecurity
mailing list