Dave Aitel, principal security researcher and founder of security software maker Immunity, says he does not believe that the current crop of products is up to the task. The reason: many pieces of code are falsely labelled as flaws by the tools. Such false positives can sidetrack the developers for a long time, reducing productivity, he said.
"If it finds 500 bugs, you have to go through those 500 bugs and fix them; any false-positive rate destroys the economics," Aitel said. "Maybe in three generations, it will be economically feasible for large code bases."
Yet Aitel acknowledges that such tools are needed.
"If you look at most corporate code, it is littered with easy bugs," he said. "A lot of these really big vendors do no checking at all. There is a big market out there for something that can shoot through 30 million lines of code and catch the obvious stuff."
Another supporter of source code analysers, Dawson Engler, believes that the tools catch enough flaws to make them valuable today.
"I think we will get better and better at finding more and more holes," said Engler, a Stanford University computer science professor who has written much on the field. Engler started Coverity, a company selling source code analysis tools, with several graduate students.
Rival company Ounce Labs intends to put the pressure on software developers by empowering their customers.
The company, which hopes to launch its code analysis product in June, announced on Tuesday that it had created a boilerplate contract addendum that holds software makers responsible for guaranteeing the security of their software. Chief executive Jack Danahy believes that if companies start adding the wording to contracts, developers will then proactively start checking their software for flaws. And that means more customers for those that make analysis tools.
"What happens is that I don't have to accept [the software] from you, unless you make sure it is secure," Danahy said. "Security now becomes a requirement."
