[Owasp-o2-platform] Why doesn't SAST have better Framework support (for example Spring MVC)?

Dennis Groves dennis.groves at owasp.org
Sun Oct 23 13:32:31 EDT 2011


It is in my humble opinion that there are many, many tools required at
different places and times in the IT security lifecycle. And that nothing
provides 100% coverage. However, each of the tools does have a place
and incrementally help to reduce risk to acceptable levels.

In my humble opinion SAST has the most promise as a compiler integrated
function - that provides analysis at compile time when static trees are
already built and should happen right along side syntactical and lexical
analysis. I believe such compile-time integration would slightly raise the
bar; and drive back some problems to the place where they are known to be
most inexpensive to address, like - data input validation - why doesn't it
happen?


-- 
Dennis Groves <http://about.me/dennis.groves>, MSc
dennis.groves at owasp.org

 <http://www.owasp.org/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20111023/6eb399ec/attachment.html 


More information about the Owasp-o2-platform mailing list