Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)

From: Adam Shostack <adam () homeport org>
Date: Wed, 8 Aug 2001 11:30:52 -0400
On Wed, Aug 08, 2001 at 10:00:43AM +1000, Darren Reed wrote:
| In some email I received from Adam Shostack, sie wrote:
| > 
| > Clearly, you don't understand my message.  If you look at the tools I
| > mentioned, you'll see that they are code scanners, not vulnerability
| > scanners.   A code scanner (ITS4, RATS) examines the source code to an 
| > app to find calls to dangerous functions, etc.
| 
| Ah yes, that was my fault.  I saw the word "scanner" and immeadiately
| thought of vulnerability scanner (not source code).  Given that I now
| have a better understanding of what you meant (blinkers are off), I do
| agree with the things you were saying.

Well, there goes a good flame war. :)

| > Unit tests, in my experience, fall
| > into two sets; those written by the engineer who wrote the code, which 
| > never find anything until the code is handed over to someone else,
| > because the engineer already dealt with the cases that he wrote tests
| > for, and those written by a junior QA guy, which find fenceposts, and
| > off-by-one and that sort of thing.  Neither tends to find security
| > flaws, unless you have a really unusual person writing the tests.
| 
| Given my experience as a s/w engineer, I can say that unless you have
| someone else writing the tests, you're not likely to find half the problems.
| 
| Testing absurd input, like passing strings with linefeeds in them to
| getpwnam() or making environment variables (where used) 4K long with
| junk content, etc, needs to become part of the standard unit testing.

I don't disagree with anything you say, but that requires some level
of intelligence, and we all know how hard it is to get smart people to 
do QA.  They always want to write new code.

Of course, theres a good opportunity for someone to write a tool that
tests arbitrary code in this way, and offers advice, a la RATS.  A far 
better use of time than reading and auditing code, as you pointed out, 
is writing code that checks other code.  Once we have such code, we
can make it 'socially' unacceptable to not use it.

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: