Security research, news and guidance

Agnitio: It’s static analysis, but not as we know it

April 21, 2011  |  Written by Security Ninja  |   Slideshare   |   4 Comments

Agnitio: It’s static analysis, but not as know it

This entry was posted on April 21, 2011 at 2:12 pm and is filed under Slideshare . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 comments   >

  1. Pingback: A Northern Geek’s trip South « Infosanity's Blog

  2. Jim Bird says:

    I must be missing something. You keep referring to Agnitio as a static analysis tool. So I tried it out. It’s a simple little database app with a hard-coded checklist for secure code and design reviews. The app is a bit clunky to navigate around, but I think I get the main idea: that the reviewer has to follow the same checklist each time, and it allows them to enter some comments and we can save the results and look back at the checks that were done. It’s all simple and rigid and not easy to use. I don’t seem to be able to edit or customize the checklist items or guidance? But it looks like that’s in the 2.0 release (I downloaded 1.2).

    OK, I’ll look forward to trying out the 2.0 release, it looks like it will be easier to use and extensible. It’s a good attempt at capturing the workflow of a security code review. But this isn’t static analysis. I guess calling it so served a purpose, it got me to check out Agnitio thinking it was something that it wasn’t.

  3. Security Ninja says:

    Hi Jim,

    Thanks for the comment on this.

    I wanted to address the static analysis point first. I don’t ever recall referring to Agnitio as a static analysis tool, in the talk above I defined what static analysis means to me and where Agnitio fits in. I feel, to me at least and in the context of the presentation above the static analysis is the analysis of source code using a tool or a human performing a manual review.

    I do say on slide 28 that it is a tool to help with manual static analysis – a human reviewing the source code. It will perform some basic automated static analysis in v2.0 though but in v1.2 (latest version released) it doesn’t.

    Would you mind pointing out where it has been referred to as a static analysis tool so I can change this? If I’ve done this anywhere it certainly wasn’t done in a malicious way to mislead people as you pointed at in your second paragraph so please let me know where I’ve potentially mislead people. You say I keep referring to Agnitio as a static analysis tool so I assume you have seen me say this in a lot of places, please do let me know where I’ve done this so I can correct it as I said above.

    Would you also mind spending a bit more time providing some more constructive feedback on the tool? You mentioned a couple of times it isn’t easy to use, could you expand on this and explain what isn’t easy to use and how you suggest it could be improved? I hope you can find the time to give me that feedback, I do appreciate the comment but something like “not easy to use” won’t help me improve anything.

    I would also agree that it is a simple app, I don’t see that as a bad thing to be honest. We have a lot of over priced, over complicated solutions in application security that often fail to help companies produce secure code so something free and simple might be worth a try.

    The tool wasn’t made to be edited, it was an internal tool I developed that people externally liked the look of so it was released as is. We had no need to edit checklist items or guidance sections when we released it internally and until v1.2 was released no one asked for it externally either. When people ask for functionality to be added it will be added when I get time.

    At the end of the day it’s an open source tool not a commercial tool so it won’t be perfect, the UI will probably remain a bit clunky and not everyone will like it but it’s been downloaded a lot since it was released so someone must be finding it useful :)

    I do hope you take the time to provide the additional information I asked for above!

    SN

  4. Jim Bird says:

    To be fair, you do make it clear in the slides that Agnitio is not a static analysis tool, at least not yet. It was the flashy title “It’s static analysis, but not as we know it” that I thought was an over-sell.

    I do appreciate that Agnitio is freeware (we need more open source software security tools), and I appreciate that you are taking feedback seriously, I’ve seen that you’ve responded to other people’s feedback in your updates to Agnitio. I’ll send you comments based on my experiences using Agnitio 1.2 through email.

Leave a comment

VIDEOS & SLIDESHARES

Look at our latest security Videos & SlideShares

EVENTS & SEMINARS

Upcoming Security Events & Seminars

PODCASTS & DOWNLOADS

Check out our Podcasts & White Papers