Firewall Wizards mailing list archives
Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)
From: Darren Reed <darrenr () reed wattle id au>
Date: Wed, 8 Aug 2001 10:00:43 +1000 (EST)
In some email I received from Adam Shostack, sie wrote:
Clearly, you don't understand my message. If you look at the tools I mentioned, you'll see that they are code scanners, not vulnerability scanners. A code scanner (ITS4, RATS) examines the source code to an app to find calls to dangerous functions, etc.
Ah yes, that was my fault. I saw the word "scanner" and immeadiately thought of vulnerability scanner (not source code). Given that I now have a better understanding of what you meant (blinkers are off), I do agree with the things you were saying. [...]
Regression testing only looks for bugs that have been found before, to ensure that you don't regress.
That is important. Regression testing should also ensure things continue to work, as well as not work.
Unit tests, in my experience, fall into two sets; those written by the engineer who wrote the code, which never find anything until the code is handed over to someone else, because the engineer already dealt with the cases that he wrote tests for, and those written by a junior QA guy, which find fenceposts, and off-by-one and that sort of thing. Neither tends to find security flaws, unless you have a really unusual person writing the tests.
Given my experience as a s/w engineer, I can say that unless you have someone else writing the tests, you're not likely to find half the problems. Testing absurd input, like passing strings with linefeeds in them to getpwnam() or making environment variables (where used) 4K long with junk content, etc, needs to become part of the standard unit testing. Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Checkpoint rule 0 "unknown est. tcp connection" drops, (continued)
- Checkpoint rule 0 "unknown est. tcp connection" drops black (Aug 07)
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops Andrew Huffer (Aug 08)
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops black (Aug 10)
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops Lance Spitzner (Aug 10)
- Checkpoint rule 0 "unknown est. tcp connection" drops black (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Marcus J. Ranum (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Damir Rajnovic (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Predrag Zivic (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 11)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Marcus J. Ranum (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) R. DuFresne (Aug 08)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) David Wagner (Aug 08)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Predrag Zivic (Aug 08)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) David Wagner (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Predrag Zivic (Aug 13)