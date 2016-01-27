Context and environment

All tools suffer from a lack of understanding the environment regarding the software they are analyzing. They also lack any real understanding of the context of what they are looking at.

The tools can only look at the code. They cannot know that any particular database query is hitting a read-only schema which contains data that has been carefully vetted outside the application and might be considered trusted—or at least more trusted than data that is coming from other sources. They cannot know file system permissions that may make things like directory traversal extremely difficult. This knowledge of the environment is crucial for understanding the risk posed by any given finding and that understanding is vital if you do not wish to waste developers’ time with issues that may not need to be addressed or could be put off for a future release.

Context is another issue with tools. Tools often have little understanding of the context of what the code is doing. This is why so many flag all instances of random number generators or all uses of date/time functions for inspection by the reviewer. The tool cannot know if the random number generation is rolling a dice or providing a security function; it may not be able to tell if the date/time function is just a normal use or if it is there to trigger a time-based backdoor or logic bomb. The tool simply flags them and tells the reviewer to figure it out based on the context of the function’s use.

Why manual code review is key

Manual reviewers, on the other hand, know all these things. They understand the operating environment and who the users are. They know the purpose of the software from the individual function to the overall purpose of the entire application. They apply this knowledge to the tool’s findings to provide developers with actionable results rather than a collection of junk findings that waste a developer’s time. They apply their knowledge of the software and its environment to help priority issues.