Firewall Wizards mailing list archives
Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)
From: Adam Shostack <adam () homeport org>
Date: Fri, 10 Aug 2001 17:48:42 -0400
ITS4, RATS, flawfinder, Lopht Slint, fuzz. The immunix suite is worth looking at, as is David Wagner's thesis (I don't think the code is available, but hey, sometimes its worth reading the paper, not the code.) Static analysis and computer security: New techniques for software assurance http://www.cs.berkeley.edu/~daw/papers/phd-dis.ps Adam On Wed, Aug 08, 2001 at 07:42:23AM -0700, Predrag Zivic wrote: | Does anyone have a compiled list of code scanners? | I am interested in source code scanners, code | scanners(binary?) and buffer overflow tools. | | Any input would be greatly appreciated. I know about | ITS4. | | I am gratefull forever for any info on this topic. | | Pez | | --- Darren Reed <darrenr () reed wattle id au> wrote: | > In some email I received from Adam Shostack, sie | > wrote: | > > | > > Clearly, you don't understand my message. If you | > look at the tools I | > > mentioned, you'll see that they are code scanners, | > not vulnerability | > > scanners. A code scanner (ITS4, RATS) examines | > the source code to an | > > app to find calls to dangerous functions, etc. | > | > Ah yes, that was my fault. I saw the word "scanner" | > and immeadiately | > thought of vulnerability scanner (not source code). | > Given that I now | > have a better understanding of what you meant | > (blinkers are off), I do | > agree with the things you were saying. | > | > [...] | > > Regression testing only looks for bugs that have | > been found before, to | > > ensure that you don't regress. | > | > That is important. Regression testing should also | > ensure things continue | > to work, as well as not work. | > | > > Unit tests, in my experience, fall | > > into two sets; those written by the engineer who | > wrote the code, which | > > never find anything until the code is handed over | > to someone else, | > > because the engineer already dealt with the cases | > that he wrote tests | > > for, and those written by a junior QA guy, which | > find fenceposts, and | > > off-by-one and that sort of thing. Neither tends | > to find security | > > flaws, unless you have a really unusual person | > writing the tests. | > | > Given my experience as a s/w engineer, I can say | > that unless you have | > someone else writing the tests, you're not likely to | > find half the problems. | > | > Testing absurd input, like passing strings with | > linefeeds in them to | > getpwnam() or making environment variables (where | > used) 4K long with | > junk content, etc, needs to become part of the | > standard unit testing. | > | > Darren | > _______________________________________________ | > firewall-wizards mailing list | > firewall-wizards () nfr com | > | http://list.nfr.com/mailman/listinfo/firewall-wizards | | | __________________________________________________ | Do You Yahoo!? | Make international calls for as low as $.04/minute with Yahoo! Messenger | http://phonecard.yahoo.com/ | _______________________________________________ | firewall-wizards mailing list | firewall-wizards () nfr com | http://list.nfr.com/mailman/listinfo/firewall-wizards -- "It is seldom that liberty of any kind is lost all at once." -Hume _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops, (continued)
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops black (Aug 10)
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops Lance Spitzner (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Marcus J. Ranum (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Damir Rajnovic (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Predrag Zivic (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 11)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Marcus J. Ranum (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) R. DuFresne (Aug 08)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) David Wagner (Aug 08)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Predrag Zivic (Aug 08)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) David Wagner (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Predrag Zivic (Aug 13)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Jody C. Patilla (Aug 11)