OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Rob Chanter (robccyber.com.au)
Date: Thu Jan 17 2002 - 16:43:14 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Thu, Jan 17, 2002 at 02:29:01PM -0800, James Fleming wrote:
    > Not that this is a legal debate I have been told don't
    > use GNU licensed source code analyzers. I am told this
    > effectively means your code would also need to be GNU
    > (available to everyone etc)
     
    Told by whom? Jim Allchin? Scott Culp?

    Read the GPL through, from start to finish, just once. Then tell me if
    you still think that. It's no more going to infect your code than gcc or
    gdb is. Which is not at all.

    >
    > Just a word of warning !
    >
    Yeah, and they'll erase all the data on your hard drive, redirect your
    dialup to Uzbekistan and sleep with your wife.

    The most dangerous and destructive Source Code Analysers Yet! Forward
    this to everyone in your address book!

    I don't know for sure but I got this from a lawyer and it sounds legit!

    Furrfu.

    > --- "Wall, Kevin" <Kevin.Wallqwest.com> wrote:
    > > > Also does anyone want to share a good basic
    > > > methodology for a security source code review ?
    > >
    > > Not a methodology, but I'll provide you with step 1
    > > (or at least what should be one of the very early
    > > tests)...
    > >
    > > 1) Where possible, prior to code inspection, run
    > > the source
    > > code through a static analysis vulnerability
    > > detector such
    > > as RATS, ITS4, or Flawfinder. Then either clean
    > > up /correct
    > > the items that the tool finds or make the
    > > findings available
    > > to the inspection team.
    > >
    > > I think that this is the best approach because tools
    > > can find these
    > > well-known vulnerabilities faster and with more
    > > consistency than
    > > humans. For example, in the same way, you want the
    > > code you are
    > > inspecting to be compilable. You don't want humans
    > > have to look
    > > for syntax errors (unless you are a fan of Harlan
    > > Mills Clean Room
    > > Engineering approach) since compilers do this so
    > > much more efficiently.
    > >
    > > -kevin
    > > ---
    > > Kevin W. Wall Qwest Communications International,
    > > Inc.
    > > Kevin.Wallqwest.com Phone: 614.932.5542
    > > "Wipe Info uses hexadecimal values to wipe files.
    > > This provides more
    > > security than wiping with decimal values."
    > > -- Norton System Works 2002 manual, pg 160
    >
    >
    > __________________________________________________
    > Do You Yahoo!?
    > Send FREE video emails in Yahoo! Mail!
    > http://promo.yahoo.com/videomail/