Both Microsoft and Cigital are committed to building secure and reliable software. Though simple tools can help, there is really no substitute for arming developers and architects with the information they need about security. Both "Building Secure Software" and "Writing Secure Code" are excellent resources that coders should use. Cigital's open source security tool ITS4 was released two years ago as an extensible framework for scanning code. ITS4 and related static analysis approaches are only as strong as the rules they apply. We encourage Microsoft and others to create more rules for ITS4 (and other tools) and make those rules available for all developers and analysts. Before ITS4, no such collection of rules existed. We believe directed code review using static analysis tools to assist is the best way to detect potential security coding errors, and that education and training are the best ways to prevent them. Source code review is only one part of a complete approach to software security. There are currently no automated solutions to architectural review which is clearly as important as ferreting out implementation problems. Gary McGraw Cigital p.s. More relevant technical criticism of ITS4 can be found in John Viega, J.T. Bloch, Tadayoshi Kohno & Gary McGraw (2000) ITS4: A Static Vulnerability Scanner for C and C++ Code. In the Proceedings of ACSAC 2000, December, 2000. Parser-based approaches provide a superior framework for rules.
