blowdart said:

There's also CAT.NET (64bit / 32bit) which uses static code analysis to look for security vulnerabilities such as SQL injection and XSS

 

So i guess you don't do static analysis by hand. I've never used fxcop or other static analysis tools before (or maybe I used it but just does not know that it is called a static analysis tool). But given the complexity of programs that are produced now, wouldn't that require a tremendous effort to do? It's like exploring every path on decission branches and loops. And even that doesn't work anymore right now, since threads and multicore processors are being used more and more everyday. Doing analysis on Java Byte Code or CIL seems to be simpler also rather than doing it on assembly codes. I can't imagine what kind of enormous effort that would be require to tackle this problem.

That said, thanks a lot guys for pointing me to some great static analysis tools out there. Most of the tools that I saw was based on .Net or Java, though. I worked a lot in C++ lately (sigh), want to know if there is such a tool for C++ that runs also on Linux (big financial company usually runs solaris or linux on their servers. so no choice for me there).

Charles, I looked at terminator. I admire the effort that they are putting on. I hope they can achieve the goal they set. However, I could not figure out what platform they are targetting. Are they targetting all platforms? The software seems to be written using a number of programming languages, which kind of interesting.

Overall, I guess my next question is what practically Static Analysis gives you? Zian pointed out it's one level up from syntax error. But, that's still pretty shallow. I would say Static Analysis should give us something significantly more than Unit Test, Code Coverage, and Code Contracts to be worth the effort.

PS: Channel 9 looks horrible on IE 6 v.6.0.2900.2180.xp_sp2...