Penetration Testing mailing list archives
Re: [PEN-TEST] Quality Assurance
From: White Vampire <whitevampire () mindless com>
Date: Tue, 17 Oct 2000 00:44:28 -0400
On Mon, Oct 16, 2000 at 05:42:20PM -0700, Levine, Adam(Adam.Levine () BANKOFAMERICA COM) wrote:
Problem: How to determine that security vulnerabilities are not introduced into program code? Two situations: 1) source code available (e.g., internal development) or 2) only object code available (i.e., vendor supplied) If you have source code, then I would argue that the QA function should perform a compare and review all source code changes to assure that they are performing the intended function. If you only have object code or as an alternative for lower risk applications, it might be acceptable to place your application into a testing utility that tells you about any object code that is not executed during regression testing. Test scripts must include destructive tests (e.g., buffer overflows, control characters). Follow-up with the vendor on any code that is not executed. First question: It's my understanding that testing utilities such as described above are language specific. Can I get feedback from the list on testing utilities that perform the function above and the associated languages handled? Second question: How have people implemented their QA functions for web-related code?
Just a quick note: this thread may be more suited for the new Security Focus list SECPROG for secure programming discussion. Regards, -- __ ______ ____ / \ / \ \ / / White Vampire\Rem \ \/\/ /\ Y / http://www.projectgamma.com/ \ / \ / http://www.webfringe.com/ \__/\ / \___/ http://www.gammaforce.org/ \/ "Silly hacker, root is for administrators."
Attachment:
_bin
Description:
Current thread:
- [PEN-TEST] Quality Assurance Levine, Adam (Oct 16)
- Re: [PEN-TEST] Quality Assurance White Vampire (Oct 17)
- Re: [PEN-TEST] Quality Assurance Alfred Huger (Oct 17)