From 22868dbe1ddbd1b213b4a9b08c2e9b1dcf7f6f50 Mon Sep 17 00:00:00 2001 From: charlie Date: Thu, 24 Nov 2016 19:50:45 +0100 Subject: [PATCH] Fortify uselessness reflection. --- report/reflection.tex | 2 +- report/reflection.tools.tex | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 report/reflection.tools.tex diff --git a/report/reflection.tex b/report/reflection.tex index e9d0f20..3ce7222 100644 --- a/report/reflection.tex +++ b/report/reflection.tex @@ -40,7 +40,7 @@ some components, like input escaping, are just not present. \input{reflection.asvs.tex} \subsection{On HP Fortify / automated code analysis tools} -(TODO: Charlie) +\input{reflection.tools.tex} \subsection{?} (TODO: Mart) diff --git a/report/reflection.tools.tex b/report/reflection.tools.tex new file mode 100644 index 0000000..c03d227 --- /dev/null +++ b/report/reflection.tools.tex @@ -0,0 +1,23 @@ + +% How useful were code analysis tools? +The usefulness of the Fortify Static Code Analysis tool turned out to be very limited. +Since we had most verdicts ready before a license was provided we couldn't use +the tool as an initial guide trough the code. This forced us to manually check +the application source which took quite some time. After the tool became available we +didn't get any new insights regarding potential security risks, just more examples +of problems we already detected. + +% How could they be improved? (niet echt een antwoord maar we hebben de tool ook niet echt gebruikt?) +In our opinion the tool could have proved very useful in pointing out certain security +flaws in the initial stage of this project since we spent a lot of time scanning the +application code-base. Since Fortify located relatively low-level problems we could +have used these to locate potential hot-spots. +Saving us from going trough every source file and trying to determine if they are part of the +applications external access points. In order to improve upon the tool we suggest a larger +focus on determining which parts of a application need to be secure and less on pointing +out actual security flaws. + +% How did you experience the rates and amounts of false and true positives? +TODO: feedback per groepslid, ik heb geen idee hoe iedereen dit ervaren heeft. + +% How might that be improved? -- 2.20.1