Análise estática de código

Software Assurance: Time to Raise the Bar on Static Analysis
Dark Reading

The results from tools studies suggest that using multiple tools together can produce more powerful analytics and more accurate results.
I had an interesting conversation recently about the after-effects of Heartbleed and the challenges facing static analysis with Barton Miller, the chief scientist of the Software Assurance Marketplace (SWAMP), which is a project I’m sponsoring at the Department of Homeland Security to improve software quality, and raise the bar of static analysis capabilities.

I wanted to know if the problems associated with static analysis can be attributed to a lackluster analysis engine. Are the core engines in static analysis tools robust enough to keep pace with the complexity and size of modern software? Obviously, these tools appear to be lacking in depth and breadth, which results in oversimplifying, which may lead tools to make inaccurate assumptions about code; as a result they miss (simple) things and produce a generous amount of false-positives.