Dave Aitel has posted to dailydave with his thoughts on Static Analysis Industry. From his email
"So OWASP was dominated by lots of talk from and about static code
analysis tools. I wandered around with a friend of mine at the various
booths (CodeSecure [1], Fortify[2], IBM AppScan[3], Ounce Labs) and
tried them all while listening to their sales pitches. My friend works
for a financial institution that was looking to integrate static
analysis into their code development process. Like many people, she
thought the marketing sounded good. Keep in mind, a lot of the
sponsors for OWASP were static analysis tool vendors, and the
"Industry Panel" was heavily in favor of static analysis tools (until
you talked to them off-stage).
Here’s my thoughts:
1. The technology’s capabilities does not match the marketing pitch –
ideally for my friend, the tools would find all the exploitable
vulnerabilities in your code and then you would fix them, re-run it,
and get a clean bill of health.
All the tools provide you an interface that purports to fit into this
workflow. None of them, however, work like that. One of the major
problems with the technology is that you have to be a super genius
code auditor to decide if the vulnerabilities are real or not.
Also annoyingly the false positive rate is enormous even when run
against the tiny test programs they are using to demo the tools with.
So you end up with a ten page list of "bugs" that you may or may not
be able to understand enough to fix. All the tools provide nice code
browsers and a graph of data flow to help you with this process, but
in practice it’s not enough."
….
"Those are not good signs for the technology field as a whole. One
possibility is that more research dollars will flood into the space
and the technology will get better and live up to its marketing.
Another possibility is that no matter how much you spend, pure static
analysis can’t do the things you want it to do (the IBM and to some
extent Fortify bet)." – Dave Aitel
Read more at: http://seclists.org/dailydave/2008/q4/0005.html
