RE: [Full-Disclosure] automated vulnerability testing
From: Todd Burroughs (todd_at_hostopia.com)
Date: 11/29/03
- Previous message: Joel R. Helgeson: "Re: [Full-Disclosure] Wireless Security"
- In reply to: Bill Royds: "RE: [Full-Disclosure] automated vulnerability testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Bill Royds <full-disclosure@royds.net> Date: Sat, 29 Nov 2003 04:49:06 -0500 (EST)
> Most of these are situations similar to the halting problem on a Turing
> machine so you are unlikely to get an error free checker. But if your
> checker complains about all the possible security holes, it will complain
> about nearly every construct used within C programs.
I'm auditing one of our daemons, written in C. I've run it through
various source code checkers and that is useful, I found something that
could be exploitable using this. In our environment, it is not a problem,
but we'll fix it and we all learn something.
These tools are useful to find obvious problems or problems that have
a pattern. Now, aftter using these tools, I have to look over the code
and it cannot be code that I wrote. I don't think there's a substitute
for serious code review.
If you want to make a better tool, please do, I'll use it and if it's
good, I might help...
Todd Burroughs
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Joel R. Helgeson: "Re: [Full-Disclosure] Wireless Security"
- In reply to: Bill Royds: "RE: [Full-Disclosure] automated vulnerability testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
