AppSecEU08 Scanstud - Evaluating static analysis tools - Revision history

Martinj: /* The presentation */

2008-05-22T13:04:35Z

‎The presentation

Martinj: /* The presentation */

2008-04-04T10:28:55Z

‎The presentation

Martinj: New page: == The presentation == In late 2007 and early 2008 the Siemens CERT and the security group at the University of Hamburg ([http://www.informatik.uni-hamburg.de/SVS SVS]) jointly did a proj...

2008-04-04T10:28:04Z

New page: == The presentation == In late 2007 and early 2008 the Siemens CERT and the security group at the University of Hamburg ([http://www.informatik.uni-hamburg.de/SVS SVS]) jointly did a proj...

New page

== The presentation ==

In late 2007 and early 2008 the Siemens CERT and the security group at the University of Hamburg ([http://www.informatik.uni-hamburg.de/SVS SVS]) jointly did a project to evaluate the capabilities of commercial static analysis tools in respect to finding security vulnerabilities in source code.

For this purpose a mature evaluation methodology was developed which allows:
* Automatic Text-execution and -evaluation
* Easy and reliable testcase creation
* Deterministic correlation between single testcases and respective tool response

The talk will present our methodology, our approach on creating suitable testcases and our experiences regarding the actual evaluation.

'''Note''': We won't present the precise results of the evaluation. We do not consider the actual outcome to be too valuable. The result of such an evaluation is always only a snapshot of evidence which is aging very fast (being invalid with the next version of the respective tools). However, we will share general information regarding our results (overall performance of the tools, medium ratio between False Negatives / False Positive, differences between C and Java analysis, anecdotal stuff, and trivia).

== The speakers ==

The talk will be presented by one or more of the following individuals:

* ''[http://www.informatik.uni-hamburg.de/SVS/personnel/martin/index.php Martin Johns]'': Security researcher and PhD candidat at the University of Hamburg
* ''Moritz Jodeit'': Master's student at the University of Hamburg
* ''Wolfgang Koeppl'': Member of the [https://www.ct.siemens.com/en/technologies/ic/beispiele/cert.html Siemens CERT]
* ''Martin Wimmer'': Member of the [https://www.ct.siemens.com/en/technologies/ic/beispiele/cert.html Siemens CERT]

← Older revision		Revision as of 13:04, 22 May 2008
Line 11:		Line 11:

	'''Note''': We won't present the precise results of the evaluation. We do not consider the actual outcome to be too valuable. The result of such an evaluation is always only a snapshot of evidence which is aging very fast (being invalid with the next version of the respective tools). However, we will share general information regarding our results (overall performance of the tools, medium ratio between False Negatives / False Positive, differences between C and Java analysis, anecdotal stuff, and trivia).		'''Note''': We won't present the precise results of the evaluation. We do not consider the actual outcome to be too valuable. The result of such an evaluation is always only a snapshot of evidence which is aging very fast (being invalid with the next version of the respective tools). However, we will share general information regarding our results (overall performance of the tools, medium ratio between False Negatives / False Positive, differences between C and Java analysis, anecdotal stuff, and trivia).
		+
		+	'''Slides''': [https://www.owasp.org/images/7/76/Johns_jodeit_-_ScanStud_OWASP_Europe_2008.pdf pdf]

	== The speakers ==		== The speakers ==

@@ Line 4: / Line 4: @@
 For this purpose a mature evaluation methodology was developed which allows:
-* Automatic Text-execution and -evaluation
+* Automatic test-execution and -evaluation
 * Easy and reliable testcase creation
 * Deterministic correlation between single testcases and respective tool response
@@ Line 10: / Line 10: @@
 The talk will present our methodology, our approach on creating suitable testcases and our experiences regarding the actual evaluation.
 '''Note''': We won't present the precise results of the evaluation. We do not consider the actual outcome to be too valuable. The result of such an evaluation is always only a snapshot of evidence which is aging very fast (being invalid with the next version of the respective tools). However, we will share general information regarding our results (overall performance of the tools, medium ratio between False Negatives / False Positive, differences between C and Java analysis, anecdotal stuff, and trivia).
 == The speakers ==