
Mandated Third Party Static Analysis: Bad Public Policy, Bad Security (2014) - xvirk
https://blogs.oracle.com/maryanndavidson/entry/mandated_third_party_static_analysis
======
brudgers
What I find interesting about the article is the tension between Oracle's
business interests in avoiding customers running static analysis of binaries
within the acceptance process and Oracle's clear technical expertise with the
problem domain static binary analysis is intended to address. I have to wonder
if it is a case where Oracle may have worked backward from a position to the
correct solution.

Or to put it another way, it's hard to see a median quality static analysis
tool vendor having significantly better top engineers than Oracle's top
engineers while it's easy to apply the "hate on Oracle" meme and dismiss their
position as purely self interested.

It's also easy to pretend that the fundamental problems are easily solved with
open source by ignoring that organizations run Oracle and other proprietary
software because it abstracts over writing and maintaining and QA'ing code
that does what the proprietary code does. Organizations buy expertise and
Oracle and other proprietary code vendors sell it at scale.

------
Eridrus
This blog post starts out with some truth: 1\. 3rd party binary static
analysis is not industry standard

devolves to half truths:

2\. the amount of vendors doing static analysis for security is not what I
would really call "Many"

3\. You're probably not going to get good ROI from a static analysis tool. But
you might reduce your risk significantly by not buying Oracle.

And then devolves into pure bullshit (4, 5, 6, 7)

But despite the fact that Mary Ann Davidson seems to have a much greater
interest in hiding Oracle's issues from everyone, rather than actually fixing
them, the attempt to get 3rd party binary static analysis mandated is clearly
Veracode attempting some good ol' fashioned regulatory capture.

Customers really should have the right to attempt binary static analysis on
their vendor's software, but mandating that companies use one niche, specific
technique supported by very few vendors to achieve a broad goal is total
bullshit.

Also, Coverity was bought by Synopsis, not IBM like the post claims.

