[24356] in bugtraq
RE: ITS4 from Cigital flawed
daemon@ATHENA.MIT.EDU (Gary McGraw)
Thu Feb 21 11:36:07 2002
Message-ID: <51CC94132526754995E79DCF28C0C34D07E9C2@exchange.cigital.com>
From: Gary McGraw <gem@cigital.com>
To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Date: Thu, 21 Feb 2002 10:53:56 -0500
MIME-Version: 1.0
Content-Type: text/plain
Both Microsoft and Cigital are committed to building secure and reliable
software. Though simple tools can help, there is really no substitute for
arming developers and architects with the information they need about
security. Both "Building Secure Software" and "Writing Secure Code" are
excellent resources that coders should use.
Cigital's open source security tool ITS4 was released two years ago as an
extensible framework for scanning code. ITS4 and related static analysis
approaches are only as strong as the rules they apply. We encourage
Microsoft and others to create more rules for ITS4 (and other tools) and
make those rules available for all developers and analysts. Before ITS4, no
such collection of rules existed. We believe directed code review using
static analysis tools to assist is the best way to detect potential security
coding errors, and that education and training are the best ways to prevent
them.
Source code review is only one part of a complete approach to software
security. There are currently no automated solutions to architectural
review which is clearly as important as ferreting out implementation
problems.
Gary McGraw
Cigital
p.s. More relevant technical criticism of ITS4 can be found in John Viega,
J.T. Bloch, Tadayoshi Kohno & Gary McGraw (2000) ITS4: A Static
Vulnerability Scanner for C and C++ Code. In the Proceedings of ACSAC 2000,
December, 2000. Parser-based approaches provide a superior framework for
rules.
