Firewall Wizards mailing list archives
Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)
From: Predrag Zivic <pzivic () yahoo com>
Date: Wed, 8 Aug 2001 07:42:23 -0700 (PDT)
Does anyone have a compiled list of code scanners? I am interested in source code scanners, code scanners(binary?) and buffer overflow tools. Any input would be greatly appreciated. I know about ITS4. I am gratefull forever for any info on this topic. Pez --- Darren Reed <darrenr () reed wattle id au> wrote:
In some email I received from Adam Shostack, sie wrote:Clearly, you don't understand my message. If youlook at the tools Imentioned, you'll see that they are code scanners,not vulnerabilityscanners. A code scanner (ITS4, RATS) examinesthe source code to anapp to find calls to dangerous functions, etc.Ah yes, that was my fault. I saw the word "scanner" and immeadiately thought of vulnerability scanner (not source code). Given that I now have a better understanding of what you meant (blinkers are off), I do agree with the things you were saying. [...]Regression testing only looks for bugs that havebeen found before, toensure that you don't regress.That is important. Regression testing should also ensure things continue to work, as well as not work.Unit tests, in my experience, fall into two sets; those written by the engineer whowrote the code, whichnever find anything until the code is handed overto someone else,because the engineer already dealt with the casesthat he wrote testsfor, and those written by a junior QA guy, whichfind fenceposts, andoff-by-one and that sort of thing. Neither tendsto find securityflaws, unless you have a really unusual personwriting the tests. Given my experience as a s/w engineer, I can say that unless you have someone else writing the tests, you're not likely to find half the problems. Testing absurd input, like passing strings with linefeeds in them to getpwnam() or making environment variables (where used) 4K long with junk content, etc, needs to become part of the standard unit testing. Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops, (continued)
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops Andrew Huffer (Aug 08)
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops black (Aug 10)
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops Lance Spitzner (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Marcus J. Ranum (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Damir Rajnovic (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Predrag Zivic (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 11)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Marcus J. Ranum (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) R. DuFresne (Aug 08)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) David Wagner (Aug 08)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Predrag Zivic (Aug 08)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) David Wagner (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Predrag Zivic (Aug 13)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Jody C. Patilla (Aug 11)