Secure Coding mailing list archives
Re: Comparing Scanning Tools (false positives)
From: dwheeler at ida.org (David A. Wheeler)
Date: Tue, 13 Jun 2006 10:49:58 -0400
Gary McGraw wrote:
Hi all (especially david), The story you repeated about ITS4 finding a vulnerability "that can't happen" is wrong. The tool FIST (a fault injection tool for security) which we decribed in an Oakland paper from 1998 was what you were thinking of. (FIST was also produced at cigital...the paper was by anup ghosh, tom o'connor, and myself.). FIST found a vulnerbility that we could not figure out how to exploit. Some 6 months later, a security researcher figured out how and published the sploit.
Ah! That explains why I couldn't find it. Right basic story, and right company... but wrong tool. Thanks for the correction. I think it's a very good cautionary tale, and not everyone's heard it. Could you post a little more information about that here, with citations (URLs where possible)? I believe a preprint of the FIST paper you mean is here, correct?: http://www.cigital.com/papers/download/ieees_p98_2col.pdf --- David A. Wheeler
Current thread:
- Re: Comparing Scanning Tools (false positives) David A. Wheeler (Jun 12)
- Re: Comparing Scanning Tools (false positives) Crispin Cowan (Jun 12)
- Re: Comparing Scanning Tools (false positives) Johan Peeters (Jun 13)
- Re: Comparing Scanning Tools (false positives) David A. Wheeler (Jun 13)
- Re: Comparing Scanning Tools (false positives) Johan Peeters (Jun 13)
- <Possible follow-ups>
- Re: Comparing Scanning Tools (false positives) Gary McGraw (Jun 12)
- Re: Comparing Scanning Tools (false positives) David A. Wheeler (Jun 13)
- Re: Comparing Scanning Tools (false positives) Crispin Cowan (Jun 12)