Software Security with Static Code Analysis Using CAT.NET. Andreas Fuchsberger Information Security Technologist Microsoft. Agenda. Code Analysis/Code Inspection Motivation Static Code Analysis History Current technologies CAT.NET How CAT.NET works Installation Use Demo.
Information Security Technologist
One example to consider is the GNU Mailman project, an open-source mailing list management package originally written by one of us (Viega).
Mailman has been used at an impressive number of places during the past several years to run mailing lists.
But for three years, Mailman had a handful of obvious and glaring security problems in the code. (Note that the code was written before we knew or cared much about security!)
These problems were of the type that any person armed with grep and a single iota of security knowledge would have found in seconds.
Even though we had thousands and thousands of installs during that time period, no one reported a thing.
The horrible thing here is that the problem in Mailman persisted for four years, despite being packaged in products you’d expect to be security conscious, such as the Red Hat Secure Web Server product.
Static Code Analysis
From: Secure Programming with Static Analysis