[Cryptography] I don't get it.

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Apr 17 22:14:03 EDT 2014


Christian Huitema <huitema at huitema.net> writes:

>In the variant of C++ that we use at Microsoft, the "user types 11" scenario
>will absolutely be flagged by static analysis.

Note that the version of PREfast used inside Microsoft is a lot more powerful
than the general-relase one, so the fact that the internal one would find it
doesn't necessarily mean that the one that everyone else uses would.

(The internal-only analysis tools require a lot more expertise to drive, the
released ones are training-wheels versions that won't result in MS getting
flooded in support calls for error messages that developers don't understand).

Peter.


More information about the cryptography mailing list