« Thoughts on Token Security | Main | Building Secure Web Applications Training in Minneapolis »


Jim Manico

Great article and comments.

Being hash on static analysis has its place.

So it's not the tool itself. Heck, I'm currently running findbugs and a commercial product on a 18k LOC Java Project right now.

What I'm harsh on are companies that run static code analysis tools as their primary or only method to secure applications. That's foolhardy and provides a false sense of security.

Software Security is a L:O:T more difficult that NetSec and requires the 4-pronged punch of automatic code analysis, manual code and architectural review, automatic scanning and manual pen testing. We are not talking about proprietary network devices - these enterprise apps are clay.

The manual processes are very appropriate for security-critical apps, and while not scalable, are appropriate when used judiciously.

The comments to this entry are closed.