[WEB SECURITY] Static Source Code analysis Methodology

Aleksander P. Czarnowski aleksander.czarnowski at avet.com.pl
Thu May 26 16:52:28 EDT 2011

This is another important issue as it comes down not only to be able to filter out all false positives for example but to  actually being able to transfer knowledge from the review to architects, programmers, administrators etc. depending on chosen remediation solution and more global approach at the customer patch management process level.


Coming back to my previous post I believe there is only one working approach: fix all the bugs and errors disregarding if they are being ever triggered or not. Actually removing dead code is also one way of  making whole application more secure and source code is easier to manage than. My point was that to fully understand error/bug/vulnerability and associate proper risk level with it, one must take in account more than just single line of code. In this process the final execution environment has crucial impact on the assessment too.


Best Regards,


Aleksander P. Czarnowski

AVET Information and Network Security Sp. z o.o. 




From: websecurity-bounces at lists.webappsec.org [mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of Rohit Pitke
Sent: Wednesday, May 18, 2011 7:59 AM
To: Rusty Johnson; websecurity at webappsec.org; Aleksander P. Czarnowski
Subject: Re: [WEB SECURITY] Static Source Code analysis Methodology


Apart from tool configuration and various ideas detailed here, I have seen static code analysis tool creates too many false positives. So pre-configuration of scans by considering your options (security, code-quality, exploitability) are must. After scan is complete, I would strongly recommend to double check most of issues for their false-positive attribute.

I have seen pain in some recent work we did where one of the tool resulted in more than 20000 issues :)

Best Regards,



From: Rusty Johnson <rusty_johnson2 at yahoo.com>
To: websecurity at webappsec.org; Aleksander P. Czarnowski <aleksander.czarnowski at avet.com.pl>
Sent: Thu, May 12, 2011 5:07:41 AM
Subject: Re: [WEB SECURITY] Static Source Code analysis Methodology

I can agree with you that experience and expertise matter greatly when performing a code review.


The following statements, although in regards to PHP hold true, at least in my experience, for most major frameworks:


Although settings as configured in something like php.ini can greatly affect PHP code behavior, anyone with enough experience doesn't preclude a finding based on these settings. For whatever the reason, these settings can be overwritten. If, as part of the overall report, an analyst would prefer to include the mitigating factor (settings) then I would understand. However, if this completely nullifies a finding.......I disagree wholeheartedly with the approach taken.







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110526/8e32edd4/attachment-0003.html>

More information about the websecurity mailing list