[ISN] 'Dumbing down' the security profession

http://blogs.zdnet.com/security/?p=2234

Guest editorial by Shyama Rose
Zero Day
December 1st, 2008 

The market for the development and implementation of source code 
analysis (static and dynamic) tools is swelling. Companies are 
increasingly relying on source code analysis tools to identify 
security-related vulnerabilities. The demand and reliance upon 
sophisticated automated solutions is greater than the supply of quality 
tools. Due to the underdevelopment and immature nature of tools and the 
nature of the industry, the risk of highly complex vulnerabilities left 
unidentified and unmitigated is high.

Code analysis tools should be used as guidelines or preliminary 
benchmarks as opposed to definitive software security solutions.

The usefulness of analysis tools for augmenting security reviews is 
undeniable. On large code bases it can reduce time investments. It 
provides insight into the code analysis process and can be used as a 
guide for reviewers. However, a negative trend is emerging where 
enterprises are relying solely upon automated approaches to gain insight 
into risk. This invokes a false sense of security as the relying party 
is likely unaware of the deficiencies associated with security 
guarantees that tools promote.

The deficiencies of analysis tools are well known and documented. 
Current tools lack the ability to identify sophisticated bugs, and lean 
towards identifying top level, common vulnerabilities. Regardless, 
companies believe they provide a good-faith sense of security to their 
products and customers. The infancy and lack of sophistication fall far 
short of the analysis and the ability to provide context that a human 
brain can generate. The most sophisticated of source code analysis tools 
are signature based, focus on data and rarely address control flow, and 
fail on frameworks.

[...]


_______________________________________________      
Help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html