-
in your research, have you try static code analysis using any form of artificial intelligence such as Bayesian or neural networks ?
let know, while I was studying, I was researching this stuff. I just would like to hear from you if you had any experience with this
The short answer is NO, I have not really looked at Bayesien or Neural Networks for SAST (Static Analysis)
The longer answer is We Dont need it (yet), since there are many bigger limitations of the current SAST technology and tools, which we need to solve first before we look into that type of advanced analysis and techniques.
That said, I do believe that Bayesien or Neural Networks have a bigger role to play in Static Analysis of code (SAST) and in modelling how an application behaves (specially from the point of view of security).
But we are completely not ready for it, and we also don't have access to the computation power required.
I have written many blog posts on what I think needs to happen on the SAST world and what are the current limitations.
Here is a selection:
Here is a selection:
- What are the challenges with SAST that don't need a better engine
- In SAST the issue is 'Trace Connection', not 'Scan Size'
- Why doesn't SAST have better Framework support (for example Spring MVC)?
- We need Security-focused SAST/Static-Analysis rules
- The Need for Standards to evaluate Static Analysis tools
- What does SAST mean? And where does it come from?
- CI is the Key for Application Security SDL integration
- Integrating Security into the User's Gui - In this case Rational AppScan Source in AppScan Standard
- Microsoft's Cat.NET related:
- Video: Real time Vulnerability Scanning using Cat.Net and Roslyn (SAST)
- Running Cat.NET SAST Scanner outside VisualStudio
- What am I doing with Cat.NET?
- ASP.NET Support in SAST and IBM F4F
- Please show Ian Spiro your support for his IBM AppScan research, ideas and energy
- Would I recommend Checkmarx as a SAST engine?
