Top 10 User Mistakes with Static Analysis

mistake © by doobybrain

I recently attended the Static Analysis Tool Exposition (SATE) IV Workshopsponsored by NIST. The goals of SATE are to:

  • Enable empirical research based on large test sets
  • Encourage improvement of tools
  • Speed adoption of tools by objectively demonstrating their use on real software

I find SATE interesting because it takes a couple of different approaches that are pretty useful to people trying to understand what static analysis can and cannot due. One approach is to have several full-fledged applications with known bugs, and versions of the application with those bugs fixed. These have the effect of showing what static analysis tools can do in the real world. Unfortunately, they don’t help much when trying to find out what kinds of issues static analysis can handle overall.

To do that, NIST has developed a test suite that has thousands of test cases with specific issues in them. Part of SATE is running various tools on the test applications and test suites, and then trying to analyze what they can find, how much noise they produce, etc. It’s an interesting exercise. You should check it out.

This year I was privileged give a presentation myself. I wanted to talk about some of the pragmatic aspects of actually trying to use static analysis in the real world. To that end, I created a slide show around the top 10 user mistakes, meaning things that prevent organizations from realizing the value they expected or needed from static analysis. These range from improper configuration to poor policy to dealing with noise.

Take a look for yourself. If you love or hate any of them, let me know. If you have others I missed, feel free to mention it in the comments, or email me or reach me on twitter.

(powerpoint) (pdf)

Download (PPT, 1.52MB)


Software Security Conference on Thursday

I’ll be speaking this Thursday at the SATE IV software security conference in McLean, VA. This is a free event open to the public and a great chance to learn more about static analysis at a day-long event. You can register at

My talk is title “Top 10 User Mistakes with Static Analysis” and I think you’ll enjoy it. If possible I’ll post the slides here after the conference.

Journalism Matters

I know it’s crazy for a blogger to care about this, but I do care about journalism. Once upon a time I worked for a daily newspaper, and I really liked it. While there is a lot of good that comes out of putting power in the people’s hands, there is no excuse for poor journalism, which pervades traditional media as well as the internet community.

So I just jointed the Matter project at Kickstarter. It’s supposed to help improve journalism. Take a look for yourself and see what you think.

Ranting about Software, Security and Tech