lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1070202668.3141.9.camel@tantor.nuclearelephant.com>
From: jonathan at nuclearelephant.com (Jonathan A. Zdziarski)
Subject: automated vulnerability testing

Everyone used to say Java was inherently secure, and look what happened
to it... plagued with vulnerabilities.  No language is secure unless you
make it so restrictive that it isn't capable of doing anything useful.
Good programming relies on the programmer (as most have said in this
thread). 

If you want to harden up your C programs, there are a few stack
protectors and such out there you can compile/link with that will
protect your code from typical stack smashing vulnerabilities and such. 
There are also OS hardening tools out there to perform similar
protection.

That reminds me, it'd be nice if there was a C code scanner to check
your code for potential vulnerabilities.  Maybe a --taint flag in gcc or
something.  Anyone heard of one that does a good job?  It obviously
isn't a replacement for good programming but would be a nice help to
point out things one might not otherwise see.

Jonathan



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ