Re: [WASC-SATEC] Setup and Runtime dependencies wasc-satec Digest, Vol 15, Issue 1
in section 1.3 "Setup and Runtime dependencies" I'd have a hard time
classifying our tool, since it analyzes source code, but can require
dependencies as well. Perhaps a more flexible description here, with a
list of things to check rather than a binary choice.
wasc-satec-request@lists.webappsec.org
mailto:wasc-satec-request@lists.webappsec.org
March 4, 2013 9:00 PM
Send wasc-satec mailing list submissions to
wasc-satec@lists.webappsec.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
or, via email, send a message with subject or body 'help' to
wasc-satec-request@lists.webappsec.org
You can reach the person managing the list at
wasc-satec-owner@lists.webappsec.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of wasc-satec digest..."
Today's Topics:
- Last Push - Industry Feedback Received (Sherif Koussa)
wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
Regards,
Arthur Hicken
Evangelist
ParaSoft Corporation - "We Make Software Work"
Tel: (626) 275-2445
Mobile: (909) 728-9232
Fax: (626) 305-9048
Web: Parasoft.com http://parasoft.com
Twitter: @ParasoftArthur https://twitter.com/parasoftArthur
@CodeCurmudgeon http://twitter.com/CodeCurmudgeon
Facebook: CodeCurmudgeon http://facebook.com/CodeCurmudgeon
LinkedIn: ArthurHicken http://www.linkedin.com/in/arthurhicken
Google+ CodeCurmudgeon https://plus.google.com/101492994525913769354
Static Analysis for Fun and Profit
https://plus.google.com/communities/102740030842791003286
Arthur,
Can you suggest alternative text?
Regards,
Sherif
On Wed, Mar 6, 2013 at 7:04 PM, Arthur Hicken arthur.hicken@parasoft.comwrote:
in section 1.3 "Setup and Runtime dependencies" I'd have a hard time
classifying our tool, since it analyzes source code, but can require
dependencies as well. Perhaps a more flexible description here, with a list
of things to check rather than a binary choice.
wasc-satec-request@lists.webappsec.org
March 4, 2013 9:00 PM
Send wasc-satec mailing list submissions to
wasc-satec@lists.webappsec.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
or, via email, send a message with subject or body 'help' to
wasc-satec-request@lists.webappsec.org
You can reach the person managing the list at
wasc-satec-owner@lists.webappsec.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of wasc-satec digest..."
Today's Topics:
- Last Push - Industry Feedback Received (Sherif Koussa)
wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
Regards,
Arthur Hicken
Evangelist
ParaSoft Corporation - "We Make Software Work"
Tel: (626) 275-2445
Mobile: (909) 728-9232
Fax: (626) 305-9048
Web: Parasoft.com http://parasoft.com
Twitter: @ParasoftArthur https://twitter.com/parasoftArthur
@CodeCurmudgeon http://twitter.com/CodeCurmudgeon
Facebook: CodeCurmudgeon http://facebook.com/CodeCurmudgeon
LinkedIn: ArthurHicken http://www.linkedin.com/in/arthurhicken
Google+ CodeCurmudgeon https://plus.google.com/101492994525913769354 Static
Analysis for Fun and Profithttps://plus.google.com/communities/102740030842791003286
wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
I'm working on some language, but I would like to be sure of the goal -
is the purpose to detail necessary dependencies, or to clarify
differences in scanning methodologies and capabilities, or both?
/Arthur
Sherif Koussa mailto:sherif.koussa@gmail.com
March 8, 2013 2:06 PM
Arthur,
Can you suggest alternative text?
Regards,
Sherif
Arthur Hicken mailto:arthur.hicken@parasoft.com
March 6, 2013 4:04 PM
in section 1.3 "Setup and Runtime dependencies" I'd have a hard time
classifying our tool, since it analyzes source code, but can require
dependencies as well. Perhaps a more flexible description here, with a
list of things to check rather than a binary choice.
wasc-satec-request@lists.webappsec.org
mailto:wasc-satec-request@lists.webappsec.org
March 4, 2013 9:00 PM
Send wasc-satec mailing list submissions to
wasc-satec@lists.webappsec.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
or, via email, send a message with subject or body 'help' to
wasc-satec-request@lists.webappsec.org
You can reach the person managing the list at
wasc-satec-owner@lists.webappsec.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of wasc-satec digest..."
Today's Topics:
- Last Push - Industry Feedback Received (Sherif Koussa)
wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
Regards,
Arthur Hicken
Evangelist
ParaSoft Corporation - "We Make Software Work"
Tel: (626) 275-2445
Mobile: (909) 728-9232
Fax: (626) 305-9048
Web: Parasoft.com http://parasoft.com
Twitter: @ParasoftArthur https://twitter.com/parasoftArthur
@CodeCurmudgeon http://twitter.com/CodeCurmudgeon
Facebook: CodeCurmudgeon http://facebook.com/CodeCurmudgeon
LinkedIn: ArthurHicken http://www.linkedin.com/in/arthurhicken
Google+ CodeCurmudgeon https://plus.google.com/101492994525913769354
Static Analysis for Fun and Profit
https://plus.google.com/communities/102740030842791003286
I think the goal is to highlight the differences between tools and what do
you get from each type.
Regards,
Sherif
On Mon, Mar 11, 2013 at 11:50 AM, Arthur Hicken
arthur.hicken@parasoft.comwrote:
I'm working on some language, but I would like to be sure of the goal - is
the purpose to detail necessary dependencies, or to clarify differences in
scanning methodologies and capabilities, or both?
/Arthur
Sherif Koussa sherif.koussa@gmail.com
March 8, 2013 2:06 PM
Arthur,
Can you suggest alternative text?
Regards,
Sherif
Arthur Hicken arthur.hicken@parasoft.com
March 6, 2013 4:04 PM
in section 1.3 "Setup and Runtime dependencies" I'd have a hard time
classifying our tool, since it analyzes source code, but can require
dependencies as well. Perhaps a more flexible description here, with a list
of things to check rather than a binary choice.
wasc-satec-request@lists.webappsec.org
March 4, 2013 9:00 PM
Send wasc-satec mailing list submissions to
wasc-satec@lists.webappsec.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
or, via email, send a message with subject or body 'help' to
wasc-satec-request@lists.webappsec.org
You can reach the person managing the list at
wasc-satec-owner@lists.webappsec.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of wasc-satec digest..."
Today's Topics:
- Last Push - Industry Feedback Received (Sherif Koussa)
wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
Regards,
Arthur Hicken
Evangelist
ParaSoft Corporation - "We Make Software Work"
Tel: (626) 275-2445
Mobile: (909) 728-9232
Fax: (626) 305-9048
Web: Parasoft.com http://parasoft.com
Twitter: @ParasoftArthur https://twitter.com/parasoftArthur
@CodeCurmudgeon http://twitter.com/CodeCurmudgeon
Facebook: CodeCurmudgeon http://facebook.com/CodeCurmudgeon
LinkedIn: ArthurHicken http://www.linkedin.com/in/arthurhicken
Google+ CodeCurmudgeon https://plus.google.com/101492994525913769354 Static
Analysis for Fun and Profithttps://plus.google.com/communities/102740030842791003286
In that vein, different types of analysis require different resources
and have different performance and capability. I don't know that I have
final language, but conceptually
- some forms of static analysis and some tools require all the
dependencies some do not - we should mark with method(s) are supported
by the tool - analysis of source or binary without dependencies is less
precise/inquisitive but it easy to use - binary scans miss some level of details that are present in source
code but lost during compilation (e.g. comments, contracts, etc)
Re performance mentioned in the existing language, it currently says
source based scans can be quicker, but it's not necessarily true. Mature
analyzers contruct AST tree from source which is ore complicated than a
tree of binaries, and is therefore potentially slower. IE compile +
analyze > analyze
/arthur
Sherif Koussa mailto:sherif.koussa@gmail.com
March 11, 2013 6:43 PM
I think the goal is to highlight the differences between tools and
what do you get from each type.
Regards,
Sherif
Arthur Hicken mailto:arthur.hicken@parasoft.com
March 11, 2013 8:50 AM
I'm working on some language, but I would like to be sure of the goal
- is the purpose to detail necessary dependencies, or to clarify
differences in scanning methodologies and capabilities, or both?
/Arthur
Sherif Koussa mailto:sherif.koussa@gmail.com
March 8, 2013 2:06 PM
Arthur,
Can you suggest alternative text?
Regards,
Sherif
Arthur Hicken mailto:arthur.hicken@parasoft.com
March 6, 2013 4:04 PM
in section 1.3 "Setup and Runtime dependencies" I'd have a hard time
classifying our tool, since it analyzes source code, but can require
dependencies as well. Perhaps a more flexible description here, with a
list of things to check rather than a binary choice.
wasc-satec-request@lists.webappsec.org
mailto:wasc-satec-request@lists.webappsec.org
March 4, 2013 9:00 PM
Send wasc-satec mailing list submissions to
wasc-satec@lists.webappsec.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
or, via email, send a message with subject or body 'help' to
wasc-satec-request@lists.webappsec.org
You can reach the person managing the list at
wasc-satec-owner@lists.webappsec.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of wasc-satec digest..."
Today's Topics:
- Last Push - Industry Feedback Received (Sherif Koussa)
wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
Regards,
Arthur Hicken
Evangelist
ParaSoft Corporation - "We Make Software Work"
Tel: (626) 275-2445
Mobile: (909) 728-9232
Fax: (626) 305-9048
Web: Parasoft.com http://parasoft.com
Twitter: @ParasoftArthur https://twitter.com/parasoftArthur
@CodeCurmudgeon http://twitter.com/CodeCurmudgeon
Facebook: CodeCurmudgeon http://facebook.com/CodeCurmudgeon
LinkedIn: ArthurHicken http://www.linkedin.com/in/arthurhicken
Google+ CodeCurmudgeon https://plus.google.com/101492994525913769354
Static Analysis for Fun and Profit
https://plus.google.com/communities/102740030842791003286
Hi Arthur,
I revised the text you provided and the text already existing, and I don't
see a lot of differences. The goal is to provide the different approaches
difference tools finds. The more we blur the differences the more the
evaluator will be confused and weakens the criteria overall. So for
Parasoft, if it is kinda hybrid then the evaluator should just tick both
boxes, and would be up to you to explain to the evaluator how is that
better than those that just scan source code or those that just work on
binaries. Thoughts?
Regards,
Sherif
On Wed, Mar 13, 2013 at 8:13 PM, Arthur Hicken
arthur.hicken@parasoft.comwrote:
In that vein, different types of analysis require different resources and
have different performance and capability. I don't know that I have final
language, but conceptually
- some forms of static analysis and some tools require all the
dependencies some do not - we should mark with method(s) are supported by
the tool
Sherif: this is pretty much in line with what we have right now
- analysis of source or binary without dependencies is less
precise/inquisitive but it easy to use
Sherif: We try to stay away from strong judgements, unless everybody in the
group agrees on this fact, then I'd rather not add it.
- binary scans miss some level of details that are present in source code
but lost during compilation (e.g. comments, contracts, etc)
Sherif: same as above
Re performance mentioned in the existing language, it currently says
source based scans can be quicker, but it's not necessarily true. Mature
analyzers contruct AST tree from source which is ore complicated than a
tree of binaries, and is therefore potentially slower. IE compile + analyze
analyze
Sherif: so the idea here is as follows:
Compiled code
/arthur
Sherif Koussa sherif.koussa@gmail.com
March 11, 2013 6:43 PM
I think the goal is to highlight the differences between tools and what do
you get from each type.
Regards,
Sherif
Arthur Hicken arthur.hicken@parasoft.com
March 11, 2013 8:50 AM
I'm working on some language, but I would like to be sure of the goal -
is the purpose to detail necessary dependencies, or to clarify differences
in scanning methodologies and capabilities, or both?
/Arthur
Sherif Koussa sherif.koussa@gmail.com
March 8, 2013 2:06 PM
Arthur,
Can you suggest alternative text?
Regards,
Sherif
Arthur Hicken arthur.hicken@parasoft.com
March 6, 2013 4:04 PM
in section 1.3 "Setup and Runtime dependencies" I'd have a hard time
classifying our tool, since it analyzes source code, but can require
dependencies as well. Perhaps a more flexible description here, with a list
of things to check rather than a binary choice.
wasc-satec-request@lists.webappsec.org
March 4, 2013 9:00 PM
Send wasc-satec mailing list submissions to
wasc-satec@lists.webappsec.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
or, via email, send a message with subject or body 'help' to
wasc-satec-request@lists.webappsec.org
You can reach the person managing the list at
wasc-satec-owner@lists.webappsec.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of wasc-satec digest..."
Today's Topics:
- Last Push - Industry Feedback Received (Sherif Koussa)
wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org
Regards,
Arthur Hicken
Evangelist
ParaSoft Corporation - "We Make Software Work"
Tel: (626) 275-2445
Mobile: (909) 728-9232
Fax: (626) 305-9048
Web: Parasoft.com http://parasoft.com
Twitter: @ParasoftArthur https://twitter.com/parasoftArthur
@CodeCurmudgeon http://twitter.com/CodeCurmudgeon
Facebook: CodeCurmudgeon http://facebook.com/CodeCurmudgeon
LinkedIn: ArthurHicken http://www.linkedin.com/in/arthurhicken
Google+ CodeCurmudgeon https://plus.google.com/101492994525913769354 Static
Analysis for Fun and Profithttps://plus.google.com/communities/102740030842791003286
