On Wed, 5 Aug 2009, Romain Gaucher wrote:
> But for me, we had a hard time with using a consistent and actually,
> meaningful scoring:
> - What is a false-positive?
> - How important is this particular finding?
For those on this list, I cover these in some detail in my paper within
the NIST document.
> This was to me one of the most important limitations since eventually we
> had most of the traces from the different tools.
... and I did create my own program to take the traces and make them
somewhat usable, but it was still slower than using the live tools.
Also, that didn't help with constructs like:
sprintf("%s%s", a, b);
where the tool was flagging 'a' and I thought it was flagging 'b'.
> As Chris said, most of these problems should be addressed in the next
> SATE, and I hope many tool vendors will be in again :)
So do I!! It would be nice to have a much cleaner data set to work with.
- Steve
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
