Code scanning tools do not make software secure
There has been a lot of press recently about using ‘code scanning’ tools to find security bugs in source code. So I thought I’d share my view on code scanning tools.
Such tools, often called static analysis tools, such as the tools we have included in Visual Studio 2005, are very useful, but they are no replacement for human intellect. If a developer does not know how to code securely, or if a designer does not know how to design secure systems, and testers don’t know how to validate the security-posture of code, tools will provide little, if any, help.
At Michael Howard's blog.
[ Read more ]