lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0311290435200.21953@suse.bluegenesis.com>
From: todd at hostopia.com (Todd Burroughs)
Subject: automated vulnerability testing

>   Most of these are situations similar to the halting problem on a Turing
> machine so you are unlikely to get an error free checker. But if your
> checker complains about all the possible security holes, it will complain
> about nearly every construct used within C programs.

I'm auditing one of our daemons, written in C.  I've run it through
various source code checkers and that is useful, I found something that
could be exploitable using this.  In our environment, it is not a problem,
but we'll fix it and we all learn something.

These tools are useful to find obvious problems or problems that have
a pattern.  Now, aftter using these tools, I have to look over the code
and it cannot be code that I wrote.  I don't think there's a substitute
for serious code review.

If you want to make a better tool, please do, I'll use it and if it's
good, I might help...

Todd Burroughs


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ