Go to google. do a search with .org selected. go to sourceforge.net.
Crispin Cowan wrote:

> puja wrote:
>
>> Thanks for the reply.
>> Can u please name some freely available packages (which you are
>> referrring in your mail ) ,which can be used to find the code is
>> vulnerable or not.
>> Actually as I said earlier that I have bought the code from some
>> third party and also since its size is very bit,its not possible to
>> tell its programmers to explain each and every part of it.
>>
>> I am currently using its4() a tool for static code analysis. It warns
>> me of the use of functions like strcat()which are vulnerable and
>> advices to use strncat instead. This doesn't completely fulfill my
>> requirement.
>
>
> I think you're mis-understanding the response you got. You are not
> going to get your requirement fulfilled: it is not practical to scan a
> piece of code and show it to be free of vulnerabilities, unless you
> are planning to invest a *lot* of time and effort into the project.
> Worse, the problem is super-linear: the large the code base, the
> harder the problem gets, until you hit about 100,000 lines of source
> code, at which point it becomes impossible to show the code is safe,
> even with infinite time and money.
>
> Source code auditing is, in large part, a task for people dedicated to
> source code auditing. It is not something that IT can do in the field
> in a short period of time.
>
>> I want to ensure that the code doesn't contain any malicious code or
>> any backdoors which might be dangerous for my system.
>
>
> Good luck: you are going to need it.
>
> A practical tip: try RATS instead of ITS4. It takes a similar
> approach, but has numerous additional advances. There is a
> comprehensive list of source code analysis tools here
> http://sardonix.org/Auditing_Resources.html
>
> Crispin
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]