Silver Bullet Talks with Bart Miller

One of my favorite papers about Heartbleed was the one that you wrote with James Kupsch. Tell us about the methods you describe for software assurance and how they worked or didn’t work against the OpenSSL code base. Heartbleed was a wake-up call for a lot of people who were making assumptions about the security of open source software. It was also a wake-up call for people who were depending on software assurance tools to scan and look for flaws in code. Why didn’t software assurance tools, well-known names like Fortify, Coverity, CodeSonar, AppScan, or Red Lizard, find this vulnerability? We were surprised that these tools missed a simple buffer overflow.