Upload
lucinda-casey
View
218
Download
1
Embed Size (px)
Citation preview
Chapter 3
Running Static Analisys Tools
Why Perform a code review?
Routinely (recommended) To prove a point. To retrofit security into a project. At least every release period, every project
should receive a security review. At Microsoft, security reviews take about 20% of initial release time and 10% in subsequent iterations.
The Review Cycle
Establish goals (subdivide up to, at most, program level) Run the static analysis tool (be sure the code compiles!) Review the code (using the output from the tool) Make fixes
Some Gotchas
The Exploitability trap Lame excuses (page 55) Adoption Anxiety. Who runs the tool? When is the tool run? What happens to the results?
Who runs the tool?
Canonical answers: Programmers Security
Better answer: All of the above
When is the tool run?
While the code is being written. At build time At major milestones
What Happens to the results
Output feeds a Release Gate A Central authority doles out individual results A Central Authority sets Pinpoint Focus Start Small, ratchet up.