Empathy List Archives

wasc-satec@lists.webappsec.org

WASC Static Analysis Tool Evaluation Criteria

Re: [WASC-SATEC] Runtime Analysis Tools

McGovern, James

Thu, Apr 24, 2014 1:16 PM

With that being said, I believe there are two action items:

  We should attempt to describe for readers when static analysis approaches run out of steam and when they need to consider sensor models.

  We can add new criteria specifically for sensor-based approaches

From: Sherif Koussa [mailto:sherif.koussa@gmail.com]
Sent: Wednesday, April 23, 2014 1:52 PM
To: McGovern, James
Subject: Re: Runtime Analysis Tools

Yup exactly, like Contrast Security from Aspect.

Sherif

On Wednesday, April 23, 2014, McGovern, James <james.mcgovern@hp.com mailto:james.mcgovern@hp.com> wrote:
By hybrid-analyzers, are you referring to the new breed of tools that inject “sensors”?

From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org javascript:_e(%7B%7D,'cvml','wasc-satec-bounces@lists.webappsec.org');] On Behalf Of Sherif Koussa
Sent: Sunday, April 20, 2014 6:19 PM
To: Alec Shcherbakov
Cc: wasc-satec@lists.webappsec.org javascript:_e(%7B%7D,'cvml','wasc-satec@lists.webappsec.org');
Subject: Re: [WASC-SATEC] Runtime Analysis Tools

I guess my question would be: does our criteria help users choose the right "hybrid analyzer" or does it help them choose between pure static code analyzers and "hybrid" analyzers? I am not sure we had the "hybrid" analyzers in mind when we designed the criteria, therefore, I am just concerned that referencing these would confuse users more so than help them.

Any thoughts?

Regards,
Sherif

On Fri, Apr 18, 2014 at 5:10 PM, Alec Shcherbakov <alec.shcherbakov@astechconsulting.com javascript:_e(%7B%7D,'cvml','alec.shcherbakov@astechconsulting.com');> wrote:
Some of these tools reverse-engineer the code being executed at the moment and then scan it, but the scope of the scan may be limited compared to the more complex often multistage process most static analyzers employ. A more accurate category for these tools could be “hybrid analyzers”. Perhaps we could list them in a separate category on the tools page.

Alec Shcherbakov
The information in this email is intended for the addressee. Any other use of this information is unauthorized and prohibited.

From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org javascript:_e(%7B%7D,'cvml','wasc-satec-bounces@lists.webappsec.org');] On Behalf Of Sherif Koussa
Sent: Friday, April 18, 2014 9:23 AM
To: wasc-satec@lists.webappsec.org javascript:_e(%7B%7D,'cvml','wasc-satec@lists.webappsec.org');
Subject: [WASC-SATEC] Runtime Analysis Tools

Hello All,

I received a request from one of the "runtime analysis tools" providers (www.contrastsecurity.com http://www.contrastsecurity.com) to list it on the Static Analysis Tools List page associated with SATEC.

The challenge with these tools is that they provide results that are similar to static analysis but they don't actually scan the code.

Interested to know what you guys think?

Regards,
Sherif

With that being said, I believe there are two action items: 1. We should attempt to describe for readers when static analysis approaches run out of steam and when they need to consider sensor models. 2. We can add new criteria specifically for sensor-based approaches From: Sherif Koussa [mailto:sherif.koussa@gmail.com] Sent: Wednesday, April 23, 2014 1:52 PM To: McGovern, James Subject: Re: Runtime Analysis Tools Yup exactly, like Contrast Security from Aspect. Sherif On Wednesday, April 23, 2014, McGovern, James <james.mcgovern@hp.com<mailto:james.mcgovern@hp.com>> wrote: By hybrid-analyzers, are you referring to the new breed of tools that inject “sensors”? From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org<javascript:_e(%7B%7D,'cvml','wasc-satec-bounces@lists.webappsec.org');>] On Behalf Of Sherif Koussa Sent: Sunday, April 20, 2014 6:19 PM To: Alec Shcherbakov Cc: wasc-satec@lists.webappsec.org<javascript:_e(%7B%7D,'cvml','wasc-satec@lists.webappsec.org');> Subject: Re: [WASC-SATEC] Runtime Analysis Tools I guess my question would be: does our criteria help users choose the right "hybrid analyzer" or does it help them choose between pure static code analyzers and "hybrid" analyzers? I am not sure we had the "hybrid" analyzers in mind when we designed the criteria, therefore, I am just concerned that referencing these would confuse users more so than help them. Any thoughts? Regards, Sherif On Fri, Apr 18, 2014 at 5:10 PM, Alec Shcherbakov <alec.shcherbakov@astechconsulting.com<javascript:_e(%7B%7D,'cvml','alec.shcherbakov@astechconsulting.com');>> wrote: Some of these tools reverse-engineer the code being executed at the moment and then scan it, but the scope of the scan may be limited compared to the more complex often multistage process most static analyzers employ. A more accurate category for these tools could be “hybrid analyzers”. Perhaps we could list them in a separate category on the tools page. Alec Shcherbakov The information in this email is intended for the addressee. Any other use of this information is unauthorized and prohibited. From: wasc-satec [mailto:wasc-satec-bounces@lists.webappsec.org<javascript:_e(%7B%7D,'cvml','wasc-satec-bounces@lists.webappsec.org');>] On Behalf Of Sherif Koussa Sent: Friday, April 18, 2014 9:23 AM To: wasc-satec@lists.webappsec.org<javascript:_e(%7B%7D,'cvml','wasc-satec@lists.webappsec.org');> Subject: [WASC-SATEC] Runtime Analysis Tools Hello All, I received a request from one of the "runtime analysis tools" providers (www.contrastsecurity.com<http://www.contrastsecurity.com>) to list it on the Static Analysis Tools List page associated with SATEC. The challenge with these tools is that they provide results that are similar to static analysis but they don't actually scan the code. Interested to know what you guys think? Regards, Sherif