Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: automated vulnerability testing

From: "Jonathan A. Zdziarski" <jonathan () nuclearelephant com>
Date: Sun, 30 Nov 2003 09:31:08 -0500
Everyone used to say Java was inherently secure, and look what happened
to it... plagued with vulnerabilities.  No language is secure unless you
make it so restrictive that it isn't capable of doing anything useful.
Good programming relies on the programmer (as most have said in this
thread). 

If you want to harden up your C programs, there are a few stack
protectors and such out there you can compile/link with that will
protect your code from typical stack smashing vulnerabilities and such. 
There are also OS hardening tools out there to perform similar
protection.

That reminds me, it'd be nice if there was a C code scanner to check
your code for potential vulnerabilities.  Maybe a --taint flag in gcc or
something.  Anyone heard of one that does a good job?  It obviously
isn't a replacement for good programming but would be a nice help to
point out things one might not otherwise see.

Jonathan


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: