Not that this is a legal debate I have been told don't
use GNU licensed source code analyzers. I am told this
effectively means your code would also need to be GNU
(available to everyone etc)

Just a word of warning !

--- "Wall, Kevin" <Kevin.Wallqwest.com> wrote:
> > Also does anyone want to share a good basic
> > methodology for a security source code review ?
>
> Not a methodology, but I'll provide you with step 1
> (or at least what should be one of the very early
> tests)...
>
> 1) Where possible, prior to code inspection, run
> the source
> code through a static analysis vulnerability
> detector such
> as RATS, ITS4, or Flawfinder. Then either clean
> up /correct
> the items that the tool finds or make the
> findings available
> to the inspection team.
>
> I think that this is the best approach because tools
> can find these
> well-known vulnerabilities faster and with more
> consistency than
> humans. For example, in the same way, you want the
> code you are
> inspecting to be compilable. You don't want humans
> have to look
> for syntax errors (unless you are a fan of Harlan
> Mills Clean Room
> Engineering approach) since compilers do this so
> much more efficiently.
>
> -kevin
> ---
> Kevin W. Wall Qwest Communications International,
> Inc.
> Kevin.Wallqwest.com Phone: 614.932.5542
> "Wipe Info uses hexadecimal values to wipe files.
> This provides more
> security than wiping with decimal values."
> -- Norton System Works 2002 manual, pg 160

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]