[SC-L] Re: Comparing Scanning Tools (false positives)
Crispin Cowan
crispin at novell.com
Tue Jun 13 00:38:57 EDT 2006
David A. Wheeler wrote:
> Brian Chess (brian at fortifysoftware dot com) said:
>> False positives:
>> Nobody likes dealing with a pile of false positives, and we work hard to
>> reduce false positives without giving up potentially exploitable
>> vulnerabilities.
> I think everyone agrees that there are "way too many false positives"
> in the sense that "there are so many it's annoying and it costs money
> to check them out" in most of today's tools.
>
> But before you say "tools are useless" you have to ask, "compared to
> what?"
> Manual review can find all sorts of things, but manual review is likely
> to miss many serious problems too. ESPECIALLY if there are only a
> few manual reviewers for a large codebase, an all-too-common situation.
I would like to introduce you to my new kick-ass scanning tool. You run
it over your source code, and it only produces a single false-positive
for you to check out. That false positive just happens to be the
complete source code listing for your entire program :)
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
More information about the SC-L
mailing list