Sunday 23 October 2011

Why doesn't SAST have better Framework support (for example Spring MVC)?

I received this question today, and before I answered it, I was wondering if you guys wanted to have a go at it first: 

"...I was reading over some of your blog entries, that made me thinks about the current state of SAST regarding the current frameworks.
I've been aware for a long time that SAST do not handle properly framework-level information. In the case of Spring MVC, the tools just don't get the data flow, etc.

Since you worked at Ounce before, do you know any particular reason why they didn't want to fo into that direction? I mean, this is a solvable problem (you somewhat show how to do that in O2). Even if they would need to implement new front-ends, this is still a very important task to be done if they wanted to compete directly with Fortify (especially since F. doesn't get it either)....

For reference here are some of my previous Framework (i.e.Spring MVC) related posts:
What do you think?

[Update blog post: What does SAST mean? And where does it come from?]