Most of us understand and accept that Web application vulnerability scanning tools (black and white box analysis) don’t find everything, but that’s its OK since they add value to SDLC processes regardless. Consistency and efficiency is good wherever we can get it. The problem is heated (aggressive/defensive) ideological debates often transpire anytime people who don’t get that come contact with those discussing scanner capabilities. Sometimes though we manage to get past all that to have open and collaborative conversations isolating various technical limitations, theorizing ways to overcome obstacles or improve processes to compensate, and generally move the state of the art forward. This after all is what security is all about, process or not product. That’s where Rafal Los two-part posts come in.
Static Code Analysis Failures
Hybrid Analysis - The Answer to Static Code Analysis Shortcomings
Don’t let the titles fool you into thinking these posts are anti-stactic-analysis. Rafal points out certain scanner shortcomings as premise to put forth ideas on how to improve the technology by combining capabilities. Of course we're all free to agree or disagree, that's kind of the point. Hopefully he’ll add a third installment that’ll dig in deeper into how Hybrid Analysis might function. Seems like an interesting line of research.