Shostack + Friends Blog Archive


Tools and Secure Code

Mike Howard (and company) have a great post about why “Code Scanning Tools Do Not Make Software Secure:”

Such tools, often called static analysis tools, such as the tools we have included in Visual Studio 2005, are very useful, but they are no replacement for human intellect. If a developer does not know how to code securely, or if a designer does not know how to design secure systems, and testers don’t know how to validate the security-posture of code, tools will provide little, if any, help.