Ed Tice is a sales engineer at Synopsys. While he's a bit of a jack of all trades, his primary areas of expertise involve helping customers understand the mechanics of running static analysis, dynamic analysis, fuzzing, and test prioritization security tools.
How do static analyzers manage code dependencies? There are many ways, but the best static analyzers take a hybrid approach to dependency analysis.
Posted in Developer Enablement, Static Analysis (SAST) | Comments Off on Why dependencies matter for SAST
Remediating XSS (cross-site scripting, or HTML injection) is difficult without understanding validation, sanitization, and normalization/canonicalization.
Posted in Web Application Security | Comments Off on Remediating XSS: Does a single fix work?
“I lost my keys. How long will it take to find them?” This is a laughable question, but it’s analogous to “How long will it take to debug this?” Developers scoff at this question as if it were an unreasonable demand, just as inexperienced project managers are shocked that a simple answer isn’t forthcoming. But this interaction says more about the problem we face than about the people involved. Occasionally, an extended debugging session can be fun, and we enjoy telling those “war stories.” But in reality, debugging is one of the most frustrating and inefficient things that we do. By some estimates, we spend about half of our time on it. Debugging code Although we never know how long it will take to debug a particular problem, we do have some idea of the relative difficulty of resolving various issues. If there is a repeatable null pointer dereference, for example, we can often knock it out in a few minutes. The debugging portion is rarely hard. The code fix isn’t anything to write home about either. In this case, the hard part is deciding what the correct behavior for a particular input should be.
Posted in Static Analysis (SAST) | Comments Off on How is static analysis a productivity tool for engineering teams?