Dailydave mailing list archives
Re: Some Sums
From: Jared DeMott <demottja () msu edu>
Date: Mon, 12 Feb 2007 08:02:32 -0500
Steven M. Christey wrote:
Tom Ptacek said:2. A lot of people are "finding" things simply by being the first to aim someone else's fuzzer at them. I'm not sure what this implies, but it implies something.And/or, maybe fewer people are using fuzzers than assumed - I'd be interested in hearing what the fuzzer people think.
A few of things off the top of my head: First of all some fuzzers cost (a lot of) money. So free lance researchers and/or small research companies aren't going to buy them. Same would be true for small software companies. I wonder if a small software company outsources their testing, and the company doing the testing owns expensive fuzzers, would that be a way to drive down total cost of ownership? Secondly, many researchers like to build and use their own fuzzers because it's assumed that other people are, or will soon, use the for pay/public fuzzers. If the assumption holds true the shelf life of potentially discovered bugs will decrease. This is bad for many reasons, mostly because if you simply use someone else's fuzzer the bulk of your costs will be time to develop bugs discovered. It's a shame for that work to go down the drain. But if it helps you find stuff quicker without the costs of building your own fuzzer ... I'll let someone else argue both sides. Just bring up possible considerations. :) And of course this assumption doesn't hold water for software companies, that ought to be doing their own testing. Lastly, as Dave pointed out a few posts ago, building != buying != using. Correctly using is half (or some arguable portion) the battle. I can't imagine a day when even the best testing or security research tools are, "click the big green go button for instant perfect results".
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Some Sums Steven M. Christey (Feb 07)
- <Possible follow-ups>
- Re: Some Sums Ari Takanen (Feb 08)
- Re: Some Sums Dave Aitel (Feb 08)
- Re: Some Sums Olef Anderson (Feb 08)
- Re: Some Sums Ari Takanen (Feb 11)
- Re: Some Sums Thomas Ptacek (Feb 11)
- Re: Some Sums Roland Dobbins (Feb 11)
- Re: Some Sums Paul Melson (Feb 12)
- Re: Some Sums Olef Anderson (Feb 13)
- Re: Some Sums Thomas Ptacek (Feb 11)
- Re: Some Sums Steven M. Christey (Feb 12)
- Re: Some Sums Jared DeMott (Feb 12)