[C-safe-secure-studygroup] Testing
Andrew Banks
andrew at andrewbanks.com
Thu Jan 5 07:10:29 UTC 2017
On Wed, Jan 4, 2017 at 3:56 PM, Wheeler, David A via C-safe-secure-studygroup <c-safe-secure-studygroup at lists.trustable.io>
wrote:
> Dynamic analysis, including fuzzing and traditional testing, requires
> that you be able to execute the code. There are many circumstances
> where you have the source code but cannot run it directly (e.g.,
> because you need special hardware). In addition, many tool suppliers
> do only static analysis, or only dynamic analysis – not both.
>
> I think it does **NOT** make sense to “bundle” these two different
> activities in a single spec.
>
> I recommend that dynamic issues, like fuzzing and testing, be handled
> **separately** by a different spec or different group.
Agreed... this activity needs to focus on addressing issues with the C language
Testing (including methods such as fuzzing) should be outside the scope... in fact there is already an ISO WG looking at Software Testing (ISO 29119)
As a further distinction, I suggest this group should avoid becoming embroiled with generic (ie non C-specific) static code analysis level activity - unless that is planned as a separate document!
Andrew
More information about the C-safe-secure-studygroup
mailing list