SoftwareSecurity2014/Group 3/Code Scanning Reflection
Fortify
The principle of having tools that can automatically verify if your application is secure, is of course wonderful. Fortify seems to do its job rather well in this. The major drawback however, is that the tool comes up with a lot of potential issues. When you start looking in to these issues, you will find that most of them are not a threat after all. Or maybe some piece of code you are warned about could be insecure, but is not in your application. For example: something like mysql_query($sql); triggers a warning, because there is no immediate validation on $sql. However, the check might have been done in an other part of the code, but Fortify will still complain (Erik: but note that Fortify does some data flow analysis, so it might spot the presence/absence of checks in some other parts of the course. of course, there are limits to this). Furthermore there is the problem of not knowing if the tool finds all real issues, or if it has overlooked some, making you feel like your application is secure while in fact it is not. (Erik: good point
RATS
RATS does detect some vulnerabilities, but doesn't generate a nice overview including possible solutions for the problems it encountered. Because RATS does find far less vulnerabilities than Fortify, this gives us the feeling that the tool is not very secure to use. On the other hand: it is a free tool which runs very fast and has the ability to detect some vulnerabilities you might have overlooked yourself, making your code safer than it would be without using RATS. The amount of issues that RATS can find is quite manageable to check again yourself and therefore gives you a nice and free starting point. However, if you want a full report on code security, you'd better buy Fortify.