| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Mar 14 16:00:34 2006 From: mwilliamson at falcon.tamucc.edu (Michael Williamson) Subject: Coverity I'm sorry, but relying on some statistical analysis tool to "certify code" is utter bullshit. Sure, this thing is useful in finding bonehead mistakes and certainly is a worthy tool, but code that passes cannot be considered defect free. This leads to a serious false sense of security...and a sense of security Coverity is happy to take your money to give you. I really suspect that path following statistical analysis tools are generally worthless in finding logic errors, and logic errors lead to security problems just as overflows/underruns/pointer mishaps. I'm not saying Coverity is snake oil, on the contrary it's a useful too, but users of it shouldn't make into more than it is. -- Michael Williamson <mwilliamson@...con.tamucc.edu> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060314/91d1092c/attachment.bin
Powered by blists - more mailing lists