Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

IBM Acquires Ounce Labs, Inc.

From: coley at linus.mitre.org (Steven M. Christey)
Date: Wed, 5 Aug 2009 16:57:00 -0400 (EDT)

On Wed, 5 Aug 2009, Romain Gaucher wrote:


But for me, we had a hard time with using a consistent and actually,
meaningful scoring:
 - What is a false-positive?
 - How important is this particular finding?


For those on this list, I cover these in some detail in my paper within
the NIST document.


This was to me one of the most important limitations since eventually we
had most of the traces from the different tools.


... and I did create my own program to take the traces and make them
somewhat usable, but it was still slower than using the live tools.

Also, that didn't help with constructs like:

  sprintf("%s%s", a, b);

where the tool was flagging 'a' and I thought it was flagging 'b'.


As Chris said, most of these problems should be addressed in the next
SATE, and I hope many tool vendors will be in again :)


So do I!!  It would be nice to have a much cleaner data set to work with.

- Steve
Previous By Date Next
Previous By Thread Next

Current thread: