• Home

  • Documents

  • Chapter 3 Running Static Analisys Tools. Why Perform a code review? Routinely (recommended) To prove...
7
Chapter 3 Running Static Analisys Tools

Chapter 3 Running Static Analisys Tools. Why Perform a code review? Routinely (recommended) To prove a point. To retrofit security into a project. At

Embed Size (px)

Citation preview

Page 1: Chapter 3 Running Static Analisys Tools. Why Perform a code review? Routinely (recommended) To prove a point. To retrofit security into a project. At

Chapter 3

Running Static Analisys Tools

Page 2: Chapter 3 Running Static Analisys Tools. Why Perform a code review? Routinely (recommended) To prove a point. To retrofit security into a project. At

Why Perform a code review?

Routinely (recommended) To prove a point. To retrofit security into a project. At least every release period, every project

should receive a security review. At Microsoft, security reviews take about 20% of initial release time and 10% in subsequent iterations.

Page 3: Chapter 3 Running Static Analisys Tools. Why Perform a code review? Routinely (recommended) To prove a point. To retrofit security into a project. At

The Review Cycle

Establish goals (subdivide up to, at most, program level) Run the static analysis tool (be sure the code compiles!) Review the code (using the output from the tool) Make fixes

Page 4: Chapter 3 Running Static Analisys Tools. Why Perform a code review? Routinely (recommended) To prove a point. To retrofit security into a project. At

Some Gotchas

The Exploitability trap Lame excuses (page 55) Adoption Anxiety. Who runs the tool? When is the tool run? What happens to the results?

Page 5: Chapter 3 Running Static Analisys Tools. Why Perform a code review? Routinely (recommended) To prove a point. To retrofit security into a project. At

Who runs the tool?

Canonical answers: Programmers Security

Better answer: All of the above

Page 6: Chapter 3 Running Static Analisys Tools. Why Perform a code review? Routinely (recommended) To prove a point. To retrofit security into a project. At

When is the tool run?

While the code is being written. At build time At major milestones

Page 7: Chapter 3 Running Static Analisys Tools. Why Perform a code review? Routinely (recommended) To prove a point. To retrofit security into a project. At

What Happens to the results

Output feeds a Release Gate A Central authority doles out individual results A Central Authority sets Pinpoint Focus Start Small, ratchet up.


Rapid Oil Analisys

Rapid Oil Analisys

Documents
ESTRUCTURAL ANALISYS I

ESTRUCTURAL ANALISYS I

Documents
Mobile payments analisys

Mobile payments analisys

Technology
Discourse Analisys Photocopies

Discourse Analisys Photocopies

Documents
Rudin - Analisys

Rudin - Analisys

Documents
Analisys Services

Analisys Services

Technology
Analisys of the_questionary_results_on_recycling2012

Analisys of the_questionary_results_on_recycling2012

Education
DCR Analisys

DCR Analisys

Documents
Qualitativel Analisys

Qualitativel Analisys

Documents
FFT analisys

FFT analisys

Documents
Analisys Process Impurities Rimpamicim

Analisys Process Impurities Rimpamicim

Documents
Earned Value Analisys

Earned Value Analisys

Documents
Ratio Analisys

Ratio Analisys

Documents
Data Analisys

Data Analisys

Documents
Organizational Analisys

Organizational Analisys

Documents
Media Courswork Analisys

Media Courswork Analisys

Documents
Incremental dynamic analisys-performace based analisys

Incremental dynamic analisys-performace based analisys

Documents
eProcurement Spend Analisys

eProcurement Spend Analisys

Documents
analisys sismico

analisys sismico

Documents
oGIP - Quality Analisys

oGIP - Quality Analisys

Documents
Fourier Analisys II

Fourier Analisys II

Documents
Analisys Services 2005

Analisys Services 2005

Documents
Li Yungenre Analisys

Li Yungenre Analisys

Documents
Analisys of UUV

Analisys of UUV

Documents
Analisys Diversity

Analisys Diversity

Documents
Analisys server

Analisys server

Documents
Bigmir Compatitive Analisys March09

Bigmir Compatitive Analisys March09

Business
Thermal Analisys Pharmaceuticals

Thermal Analisys Pharmaceuticals

Documents
Signal System Analisys

Signal System Analisys

Documents
Principal Component Analisys

Principal Component Analisys

Documents