YaK:: WebLog #535 Topic : 2007-07-28 04.31.02 matt : book review : Secure Programming with Static Analysis [Changes]   [Calendar]   [Search]   [Index]   [PhotoTags]   
  [Back to weblog: pretention]  
[mega_changes]
[photos]

book review: Secure Programming with Static Analysis

Fortify, a commercial vendor of static analysis tools, has produced a book on static analysis. Is it just a long-winded advertisement and extended manual for their tools? Read on to find my opinion.


Addison-Wesley was supposed to send me a book on fuzzing to review, but they sent me a book on static code analysis instead. The book is written by Brian Chess and Jacob West, who both work for Fortify Software , a commercial vendor of static analysis tools. The first disconcerting thing I noticed is that all the positive quotes on the book are from members of Fortify's board. All the current Amazon reviews are also by members of Fortify's board(s), all giving 5 starts and saying nothing remotely negative.

Since I don't have a financial stake in Fortify, my review of the book will likely be a bit more balanced. In short, it is a good introduction to some source code analysis concepts. It has source code examples that illustrate vulnerabilities found in various open source projects, and I love that kind of code spelunking. It goes over analyzing configuration files in addition to the binaries, which is also good.

The inclusion of several screenshots from their product isn't what bothers me. What bothers me is that they don't talk about any bugs or code constructs that their product doesn't handle. One might say that no vendor would do such a thing, but CLR via C# and Framework Design Guidelines both have commentary about various deficiencies in C#, the CLR, and the .NET class libraries. I *love* these books for that reason -- I know I'm getting a decently holistic perspective. Nothing is all roses, and acknowledging that fact is critical for giving a balanced perspective, or even the illusion thereof.

The book focuses mostly on function call-based analysis, largely skipping over pointer arithmetic-based vulnerabilities, and looping constructs. I cannot describe how disappointing this is, given that these are the exact kinds of constructs that are missed by so many code reviews and analysis tools. It is negligent, in my opinion, that they don't mention some of the deficiencies of their tool (and others like it) so that people know where they will still need to focus manual reviews.

There are a couple of little mentions at binary analysis and agile development, which read as minor jabs. It reads as though they wanted to discredit or poke fun at those methodologies, but not too overtly. I don't know why they mention the ITS4 and RATS open source tools, other than to plant the idea that open source can't meet the quality of analysis in their commercial tool. They also didn't mention PC-Lint, which I found quite odd.

Anyone interested in the basics of code analysis who can separate the technical reality from the bias of the advertising should take a look. I was happy to see that there is still great value in my BlackHat class because they left out so much. I would say that my class and this book are complementary -- if you like the book and want to go deeper, come check out the class. I'll be monitoring its sales and seeing if it makes sense for me to work on a book that expands on the topic -- without the vendor bias.

Discussion:

showing all 0 messages    

(No messages)

>
Post a new message:

   

(unless otherwise marked) Copyright 2002-2014 YakPeople. All rights reserved.
(last modified 2007-07-28)       [Login]
(No back references.)