Full Disclosure mailing list archives
RE: automated vulnerability testing
From: Todd Burroughs <todd () hostopia com>
Date: Sat, 29 Nov 2003 04:49:06 -0500 (EST)
Most of these are situations similar to the halting problem on a Turing machine so you are unlikely to get an error free checker. But if your checker complains about all the possible security holes, it will complain about nearly every construct used within C programs.
I'm auditing one of our daemons, written in C. I've run it through various source code checkers and that is useful, I found something that could be exploitable using this. In our environment, it is not a problem, but we'll fix it and we all learn something. These tools are useful to find obvious problems or problems that have a pattern. Now, aftter using these tools, I have to look over the code and it cannot be code that I wrote. I don't think there's a substitute for serious code review. If you want to make a better tool, please do, I'll use it and if it's good, I might help... Todd Burroughs _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: automated vulnerability testing, (continued)
- Re: automated vulnerability testing David Maynor (Nov 21)
- Re: automated vulnerability testing Cael Abal (Nov 21)
- Re: automated vulnerability testing David Maynor (Nov 21)
- Re: automated vulnerability testing Cael Abal (Nov 21)
- Re: automated vulnerability testing David Maynor (Nov 21)
- Re: automated vulnerability testing madsaxon (Nov 21)
- Re: automated vulnerability testing fulldisclosure (Nov 21)
- Re: automated vulnerability testing David Maynor (Nov 21)
- RE: automated vulnerability testing Bill Royds (Nov 28)
- RE: automated vulnerability testing Todd Burroughs (Nov 29)
- Re: automated vulnerability testing Todd Burroughs (Nov 29)
- RE: automated vulnerability testing Bill Royds (Nov 29)
- RE: automated vulnerability testing Peter Moody (Nov 29)
- RE: automated vulnerability testing Bill Royds (Nov 29)
- Re: automated vulnerability testing Michael Gale (Nov 29)
- Re: automated vulnerability testing Frank Knobbe (Nov 29)
- Re: automated vulnerability testing Gadi Evron (Nov 29)
- Re: automated vulnerability testing Valdis . Kletnieks (Nov 29)
- Re: automated vulnerability testing Jonathan A. Zdziarski (Nov 30)