Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Adam Shostack, sie wrote:
> Clearly, you don't understand my message.  If you look at the tools I
> mentioned, you'll see that they are code scanners, not vulnerability
> scanners.   A code scanner (ITS4, RATS) examines the source code to an 
> app to find calls to dangerous functions, etc.

Ah yes, that was my fault.  I saw the word "scanner" and immeadiately
thought of vulnerability scanner (not source code).  Given that I now
have a better understanding of what you meant (blinkers are off), I do
agree with the things you were saying.

[...]
> Regression testing only looks for bugs that have been found before, to 
> ensure that you don't regress.

That is important.  Regression testing should also ensure things continue
to work, as well as not work.

> Unit tests, in my experience, fall
> into two sets; those written by the engineer who wrote the code, which 
> never find anything until the code is handed over to someone else,
> because the engineer already dealt with the cases that he wrote tests
> for, and those written by a junior QA guy, which find fenceposts, and
> off-by-one and that sort of thing.  Neither tends to find security
> flaws, unless you have a really unusual person writing the tests.

Given my experience as a s/w engineer, I can say that unless you have
someone else writing the tests, you're not likely to find half the problems.

Testing absurd input, like passing strings with linefeeds in them to
getpwnam() or making environment variables (where used) 4K long with
junk content, etc, needs to become part of the standard unit testing.

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards