Re: How to Write Secure Code

[lmolina () COL1 TELECOM COM CO (Lucio A.Molina F.)]

Other software that can be useful to you could be The Librariam from
Computer Associates

Lucio Augusto Molina Focazzio
Certified Information Systems Auditor - CISA
ISACA, Bogotá Chapter President
Audicai Ltda. CEO
Tels. (571) 6271751
Fax   (571) 2743875
Cel.  (573) 2400063
Santafé de Bogotá, Colombia

-----Mensaje original-----
De: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]En nombre de Erik
Debill
Enviado el: Viernes 10 de Marzo de 2000 2:53 PM
Para: VULN-DEV () SECURITYFOCUS COM
Asunto: Re: How to Write Secure Code

On Fri, Mar 10, 2000 at 10:45:59AM -0800, Adam.Levine () BANKOFAMERICA COM
wrote:
> In addition to standards for writing secure code, I would be very
interested in
> hearing about any tools that can be used to audit compliance with these
> standards.  If you were going to audit an application where these
standards did
> not exist, what would you use to sift through millions of lines of code to
> identify exposures?

Thank god I never got faced with millions of lines of
code... thousands was enough.

I started with grep.  Looking for instances of "risky" calls, like
strcpy, system, exec.  I found lots and worked backwards from them to
make sure they weren't being called with unchecked data (they were - I
got to have a little "discussion" with the author).

After that it was tracing the dataflow of the program (bunch 'o' CGI
scripts in lousy C++, so at least the dataflow wasn't too complicated)
to make sure every place data came in it was treated right.

That still left the problem that data could come in, be cleaned and
made a safe length but later on be stuffed into a variable that was
too small.

I'm afraid doing anything truly thorough would really come down to
grovelling over the entire source of the application - a full code
audit.  Too bad nobody seems to have time for that (aside from the
incredible efforts going on over at OpenBSD and the Linux Security
Audit Project).

Erik