Firewall Wizards mailing list archives

Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)

From: Predrag Zivic <pzivic () yahoo com>
Date: Wed, 8 Aug 2001 07:42:23 -0700 (PDT)

Does anyone have a compiled list of code scanners? 
I am interested in source code scanners, code
scanners(binary?) and buffer overflow tools.

Any input would be greatly appreciated. I know about
ITS4.

I am gratefull forever for any info on this topic.

Pez

--- Darren Reed <darrenr () reed wattle id au> wrote:

In some email I received from Adam Shostack, sie
wrote:


Clearly, you don't understand my message.  If you

look at the tools I

mentioned, you'll see that they are code scanners,

not vulnerability

scanners.   A code scanner (ITS4, RATS) examines

the source code to an

app to find calls to dangerous functions, etc.


Ah yes, that was my fault.  I saw the word "scanner"
and immeadiately
thought of vulnerability scanner (not source code). 
Given that I now
have a better understanding of what you meant
(blinkers are off), I do
agree with the things you were saying.

[...]

Regression testing only looks for bugs that have

been found before, to

ensure that you don't regress.


That is important.  Regression testing should also
ensure things continue
to work, as well as not work.

Unit tests, in my experience, fall
into two sets; those written by the engineer who

wrote the code, which

never find anything until the code is handed over

to someone else,

because the engineer already dealt with the cases

that he wrote tests

for, and those written by a junior QA guy, which

find fenceposts, and

off-by-one and that sort of thing.  Neither tends

to find security

flaws, unless you have a really unusual person

writing the tests.

Given my experience as a s/w engineer, I can say
that unless you have
someone else writing the tests, you're not likely to
find half the problems.

Testing absurd input, like passing strings with
linefeeds in them to
getpwnam() or making environment variables (where
used) 4K long with
junk content, etc, needs to become part of the
standard unit testing.

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com

http://list.nfr.com/mailman/listinfo/firewall-wizards


__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Checkpoint rule 0 "unknown est. tcp connection" drops, (continued)
- - - Re: Checkpoint rule 0 "unknown est. tcp connection" drops Andrew Huffer (Aug 08)
    - Re: Checkpoint rule 0 "unknown est. tcp connection" drops black (Aug 10)
    - Re: Checkpoint rule 0 "unknown est. tcp connection" drops Lance Spitzner (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
  - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Marcus J. Ranum (Aug 07)
    - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Damir Rajnovic (Aug 07)
  - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
    - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
    - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
    - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
    - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Predrag Zivic (Aug 10)
    - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 11)
    - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 10)
    - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) R. DuFresne (Aug 08)
    - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 10)
    - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) David Wagner (Aug 08)
    - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Predrag Zivic (Aug 08)
    - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) David Wagner (Aug 10)
    - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Predrag Zivic (Aug 13)
  - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) daN. (Aug 10)
    - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Jody C. Patilla (Aug 11)

(Thread continues...)