Vulnerability Development mailing list archives
RE: Research on Source Code Review -C
From: "Ingevaldson, Dan (ISS Atlanta)" <dsi () iss net>
Date: Wed, 11 Jun 2003 15:27:37 -0400
I recommend reviewing the ISS X-Force presentation titled, "Advanced Software Vulnerability Assessment", presented at last year's Black Hat Briefings in Las Vegas. The presentation outlines some of the techniques that the X-Force team uses to uncover vulnerabilities in source code. In the presentation, we covered the fact that the automated tools used to uncover flaws aren't good for finding anything besides the most trivial vulnerabilities. Presentation details and PowerPoint: http://www.blackhat.com/html/bh-usa-02/bh-usa-02-speakers.html#Dowd Presentation video: rtsp://media-1.datamerica.com/blackhat/bh-usa-02/video/BH-USA-02-DOWD-HE RATH-MEHTA-FLAKE.rm Regards, =============================== Dan Ingevaldson Engineering Manager, X-Force R&D dsi () iss net 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net =============================== -----Original Message----- From: Nicole Nicholson [mailto:nanicholson () hotmail com] Sent: Wednesday, June 11, 2003 9:42 AM To: dwarkeeper () hotmail com Cc: vuln-dev () securityfocus com Subject: Re: Research on Source Code Review -C Dwar- I don't know if you have looked at any of these sites. They actually contain tools & publications for source code analysis and review. You may be able to use some of their literature and/or documentation to develop a set of guidelines. http://www.cenzic.com/ http://www.cigital.com/ http://www.dwheeler.com/flawfinder/ http://www.securesoftware.com/ Cheers. -Nicole <snip> Am looking to develop source code review guidelines for code written in c/c++. I have found a few documents on the net but nothing that could be really followed along to do source code review. I also wanted to know what people in the field are actually doing and also if they could provide first hand experience as to what all they look for and how. _________________________________________________________________ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
Current thread:
- Research on Source Code Review -C dwar keeper (Jun 10)
- <Possible follow-ups>
- Re: Research on Source Code Review -C Nicole Nicholson (Jun 11)
- RE: Research on Source Code Review -C Marc Sherman (Jun 12)
- Re: Research on Source Code Review -C gil GUl (Jun 12)
- RE: Research on Source Code Review -C Ingevaldson, Dan (ISS Atlanta) (Jun 12)
- Re: Research on Source Code Review -C Steven M. Christey (Jun 16)