On Sun, Jan 8, 2012 at 1:04 AM, Lars <nore...@z505.com> wrote: > I was watching an older video regarding Static Source code analysis to > make code more secure. B I especially enjoyed your comments about SQL > injections and escaping sql which all sorts of websites forget to do. > > What tools are used in OpenBSD for static source code analysis? I guess > Lint is considered one tool? B Do you, Ted, use other tools than Lint? > This post is not just meant to be sent for Ted, of course anyone else > could reply if they know about source code analysis.
Parfait http://labs.oracle.com/projects/downunder/publications/documents/kca09.pdf (document about finding bugs in kernels of OpenBSD, Linux and OpenSolaris) > > Should some of these static source code analysis techniques be merged into > compilers to catch more errors right within the development process, > instead of it being a separate tool? > > Advantages of keeping static source code analysis separate tools: > -keeps the compiler simpler, doesn't add extra code to the compiler > -the source code analysis tool can be used not just with one compiler that > has it built in > -source code analysis needs to be configured on a case by case basis, > embedding it into the compiler might make things too complex for the user > setting up the compiler > > > Disadvantages of keeping static analysis separate: > -people are less inclined to use the separate tool and practice proper > coding techniques. Building it into the compiler would force them to write > more secure code on day one. > -people see the tool as an extra option, rather than developing their code > right from day one as an essential. > > How to solve the disadvantages: > -ship source code analysis tools with the compiler and encourage people to > use it moreso than we do now, keep the tools as separate modules so they > can be developed individually but run together possibly with > processes/pipes. > -write more books on the topic, I doubt they would be Bestsellers though > since people are more interested in just having their program compile and > run quickly > > -- > Regards, Lars > > GNG is not GNU > http://gng.z505.com
