Static Analysis And Scary Headlines
,----[ Quote ]
| That's not an unfair summary since Harrison's post says "The analysis
| resulted in 655 defects and 71 potential security vulnerabilities."
|
| The problem is Klocwork, like most other static analysis tools, reports
| false positives; i.e., it reports problems that are not actually bugs in
| the code. (More precisely, it may identify error behaviours that
| actually cannot occur in any run of the program.)...
`----
http://weblogs.mozillazine.org/roc/archives/2006/09/static_analysis_and_scary_head.html
I wonder how many such false positives ('vulnerabilities) would have been
raised had Internet Explorer been Open Source and thus open for analysis.
Also yesterday:
,----[ Quote ]
| "Just counting up the bugs is not a good measure of how secure an
| application is," she argued, referring to some criticisms of the
| open-source browser when compared to its main rival, Microsoft's Internet
| Explorer. A year ago, for instance, Symantec tallied the numbers and
| concluded that Firefox had suffered twice as many vulnerabilities as IE.
| (In March 2006, Symantec recanted when it changed how it counted up
| flaws, and found the Firefox vs. IE bug battle a draw.)
|
| "People should be counting the days of risk. How long is the user
| vulnerable? What's the time between a patch issued and the upgrade
| installed?" Synder asked. Using those metrics, Mozilla's products win
| hands down, she said. "We're turning [patches] around in the space of
| days, not weeks or months."
|
| Microsoft is regularly criticized for its long patch development and
| test processes; even when an exploit is actively circulating in the
| wild, Microsoft can take weeks to produce a patch.
`----
http://www.techweb.com/showArticle.jhtml?articleID=193000855&cid=RSSfeed_TechWeb
|
|
