Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Wall, Kevin (Kevin.Wallqwest.com)
Date: Thu Jan 17 2002 - 15:26:30 CST
> Also does anyone want to share a good basic
> methodology for a security source code review ?
Not a methodology, but I'll provide you with step 1
(or at least what should be one of the very early tests)...
1) Where possible, prior to code inspection, run the source
code through a static analysis vulnerability detector such
as RATS, ITS4, or Flawfinder. Then either clean up /correct
the items that the tool finds or make the findings available
to the inspection team.
I think that this is the best approach because tools can find these
well-known vulnerabilities faster and with more consistency than
humans. For example, in the same way, you want the code you are
inspecting to be compilable. You don't want humans have to look
for syntax errors (unless you are a fan of Harlan Mills Clean Room
Engineering approach) since compilers do this so much more efficiently.
--- Kevin W. Wall Qwest Communications International, Inc. Kevin.Wallqwest.com Phone: 614.932.5542 "Wipe Info uses hexadecimal values to wipe files. This provides more security than wiping with decimal values." -- Norton System Works 2002 manual, pg 160