Running Static Analisys Tools

1
Chapter 3

• Running Static Analisys Tools

2
Why Perform a code review?

• Routinely (recommended)?
• To prove a point.
• To retrofit security into a project.
• At least every release period, every project
  should receive a security review.
  At Microsoft, security reviews take
  about 20 of initial release time and 10 in
  subsequent iterations.

3
The Review Cycle

• Establish goals (subdivide up to, at most,
  program level)?
• Run the static analysis tool (be sure the code
  compiles!)?
• Review the code (using the output from the tool)?
• Make fixes

4
Some Gotchas

• The Exploitability trap
• Lame excuses (page 55)?
• Adoption Anxiety.
• Who runs the tool?
• When is the tool run?
• What happens to the results?

5
Who runs the tool?

• Canonical answers
• Programmers
• Security
• Better answer
• All of the above

6
When is the tool run?

• While the code is being written.
• At build time
• At major milestones

7
What Happens to the results

• Output feeds a Release Gate
• A Central authority doles out individual results
• A Central Authority sets Pinpoint Focus
• Start Small, ratchet up.