Hello All,
I received a request from one of the "runtime analysis tools" providers (
www.contrastsecurity.com) to list it on the Static Analysis Tools List page
associated with SATEC.
The challenge with these tools is that they provide results that are
similar to static analysis but they don't actually scan the code.
Interested to know what you guys think?
Regards,
Sherif
Some of these tools reverse-engineer the code being executed at the moment
and then scan it, but the scope of the scan may be limited compared to the
more complex often multistage process most static analyzers employ. A more
accurate category for these tools could be “hybrid analyzers”. Perhaps we
could list them in a separate category on the tools page.
Alec Shcherbakov
The information in this email is intended for the addressee. Any other
use of this information is unauthorized and prohibited.
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] *On
Behalf Of *Sherif Koussa
Sent: Friday, April 18, 2014 9:23 AM
To: wasc-satec@lists.webappsec.org
Subject: [WASC-SATEC] Runtime Analysis Tools
Hello All,
I received a request from one of the "runtime analysis tools" providers (
www.contrastsecurity.com) to list it on the Static Analysis Tools List page
associated with SATEC.
The challenge with these tools is that they provide results that are
similar to static analysis but they don't actually scan the code.
Interested to know what you guys think?
Regards,
Sherif
I guess my question would be: does our criteria help users choose the right
"hybrid analyzer" or does it help them choose between pure static code
analyzers and "hybrid" analyzers? I am not sure we had the "hybrid"
analyzers in mind when we designed the criteria, therefore, I am just
concerned that referencing these would confuse users more so than help them.
Any thoughts?
Regards,
Sherif
On Fri, Apr 18, 2014 at 5:10 PM, Alec Shcherbakov <
alec.shcherbakov@astechconsulting.com> wrote:
Some of these tools reverse-engineer the code being executed at the moment
and then scan it, but the scope of the scan may be limited compared to the
more complex often multistage process most static analyzers employ. A more
accurate category for these tools could be “hybrid analyzers”. Perhaps we
could list them in a separate category on the tools page.
Alec Shcherbakov
The information in this email is intended for the addressee. Any other
use of this information is unauthorized and prohibited.
From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org] *On
Behalf Of *Sherif Koussa
Sent: Friday, April 18, 2014 9:23 AM
To: wasc-satec@lists.webappsec.org
Subject: [WASC-SATEC] Runtime Analysis Tools
Hello All,
I received a request from one of the "runtime analysis tools" providers (
www.contrastsecurity.com) to list it on the Static Analysis Tools List
page associated with SATEC.
The challenge with these tools is that they provide results that are
similar to static analysis but they don't actually scan the code.
Interested to know what you guys think?
Regards,
Sherif