Re: [Full-Disclosure] automated vulnerability testing

• Previous message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] automated vulnerability testing"
• In reply to: Gadi Evron: "Re: [Full-Disclosure] automated vulnerability testing"
• Next in thread: Nick FitzGerald: "Re: [Full-Disclosure] automated vulnerability testing"
• Reply: Nick FitzGerald: "Re: [Full-Disclosure] automated vulnerability testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Gadi Evron <ge@linuxbox.org>
Date: Sun, 30 Nov 2003 09:31:08 -0500

Everyone used to say Java was inherently secure, and look what happened
to it... plagued with vulnerabilities. No language is secure unless you
make it so restrictive that it isn't capable of doing anything useful.
Good programming relies on the programmer (as most have said in this
thread).

If you want to harden up your C programs, there are a few stack
protectors and such out there you can compile/link with that will
protect your code from typical stack smashing vulnerabilities and such.
There are also OS hardening tools out there to perform similar
protection.

That reminds me, it'd be nice if there was a C code scanner to check
your code for potential vulnerabilities. Maybe a --taint flag in gcc or
something. Anyone heard of one that does a good job? It obviously
isn't a replacement for good programming but would be a nice help to
point out things one might not otherwise see.

Jonathan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] automated vulnerability testing"
• In reply to: Gadi Evron: "Re: [Full-Disclosure] automated vulnerability testing"
• Next in thread: Nick FitzGerald: "Re: [Full-Disclosure] automated vulnerability testing"
• Reply: Nick FitzGerald: "Re: [Full-Disclosure] automated vulnerability testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [Full-disclosure] Apache/PHP REQUEST_METHOD XSS Vulnerability ... Vulnerabilities are results of poor programming. ... do have a proper value checking done prior to handling off to the script ... However, it (apache) should perform integrity checks, because it has the ... (Full-Disclosure) Re: [inbox] Re: [Full-Disclosure] RE: Linux (in)security ... Are they blatantly obvious, ancient bugs that could ... certain types of implementation-level vulnerabilities? ... it's a "newer" type of overflow (from the programming error ... "obvious" Windows vulnerabilities in the past couple years: ... (Full-Disclosure)