Running Static Analisys Tools - PowerPoint PPT Presentation

About This Presentation
Title:

Running Static Analisys Tools

Description:

At least every release period, every project should receive a security review. ... A Central Authority sets Pinpoint Focus. Start Small, ratchet up. ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 8
Provided by: csK8
Learn more at: https://www.cs.kent.edu
Category:

less

Transcript and Presenter's Notes

Title: Running Static Analisys Tools


1
Chapter 3
  • Running Static Analisys Tools

2
Why Perform a code review?
  • Routinely (recommended)?
  • To prove a point.
  • To retrofit security into a project.
  • At least every release period, every project
    should receive a security review.
    At Microsoft, security reviews take
    about 20 of initial release time and 10 in
    subsequent iterations.

3
The Review Cycle
  • Establish goals (subdivide up to, at most,
    program level)?
  • Run the static analysis tool (be sure the code
    compiles!)?
  • Review the code (using the output from the tool)?
  • Make fixes

4
Some Gotchas
  • The Exploitability trap
  • Lame excuses (page 55)?
  • Adoption Anxiety.
  • Who runs the tool?
  • When is the tool run?
  • What happens to the results?

5
Who runs the tool?
  • Canonical answers
  • Programmers
  • Security
  • Better answer
  • All of the above

6
When is the tool run?
  • While the code is being written.
  • At build time
  • At major milestones

7
What Happens to the results
  • Output feeds a Release Gate
  • A Central authority doles out individual results
  • A Central Authority sets Pinpoint Focus
  • Start Small, ratchet up.
Write a Comment
User Comments (0)
About PowerShow.com