[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] automated vulnerability testing

To: Bill Royds <full-disclosure@royds.net>
Subject: RE: [Full-Disclosure] automated vulnerability testing
From: Todd Burroughs <todd@hostopia.com>
Date: Sat, 29 Nov 2003 04:49:06 -0500 (EST)

>   Most of these are situations similar to the halting problem on a Turing
> machine so you are unlikely to get an error free checker. But if your
> checker complains about all the possible security holes, it will complain
> about nearly every construct used within C programs.

I'm auditing one of our daemons, written in C.  I've run it through
various source code checkers and that is useful, I found something that
could be exploitable using this.  In our environment, it is not a problem,
but we'll fix it and we all learn something.

These tools are useful to find obvious problems or problems that have
a pattern.  Now, aftter using these tools, I have to look over the code
and it cannot be code that I wrote.  I don't think there's a substitute
for serious code review.

If you want to make a better tool, please do, I'll use it and if it's
good, I might help...

Todd Burroughs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] automated vulnerability testing
  - From: "Bill Royds" <full-disclosure@royds.net>

Prev by Date: Re: [Full-Disclosure] Wireless Security
Next by Date: [Full-Disclosure] automated vulnerability testing
Previous by thread: RE: [Full-Disclosure] automated vulnerability testing
Next by thread: [Full-Disclosure] automated vulnerability testing
Index(es):
- Date
- Thread