RE: ITS4 from Cigital flawed

[Gary McGraw <gem () cigital com>]

Both Microsoft and Cigital are committed to building secure and reliable
software.  Though simple tools can help, there is really  no substitute for
arming developers and architects with the information they need about
security.  Both "Building Secure  Software" and "Writing Secure Code" are
excellent resources that coders should use.

Cigital's open source security tool ITS4 was released two years ago as an
extensible framework for scanning code.  ITS4 and  related static analysis
approaches are only as strong as the rules they apply. We encourage
Microsoft and others to create more  rules for ITS4 (and other tools) and
make those rules available for all developers and analysts.  Before ITS4, no
such collection  of rules existed.  We believe directed code review using
static analysis tools to assist is the best way to detect potential security
coding errors, and that education and training are the best ways to prevent
them.    

Source code review is only one part of a complete approach to software
security.  There are currently no automated solutions  to architectural
review which is clearly as important as ferreting out implementation
problems.

Gary McGraw
Cigital

p.s. More relevant technical criticism of ITS4 can be found in John Viega,
J.T. Bloch, Tadayoshi Kohno & Gary McGraw  (2000) ITS4: A Static
Vulnerability Scanner for C and C++ Code. In the Proceedings of ACSAC 2000,
December, 2000.   Parser-based approaches provide a superior framework for
rules.