Actually I have come across it several times with
Fortune 500's. Two places I contracted at, on Wall
Street last year banned any use of GNU licensed tools
in devlopment. It was in the contract for secure code
review. When we asked why, that was the reason both
times !

Sounds like you know best though so I'll ignore the
advice of well oiled legal depts..

--- Rob Chanter <robccyber.com.au> wrote:
> On Thu, Jan 17, 2002 at 02:29:01PM -0800, James
> Fleming wrote:
> > Not that this is a legal debate I have been told
> don't
> > use GNU licensed source code analyzers. I am told
> this
> > effectively means your code would also need to be
> GNU
> > (available to everyone etc)
>
> Told by whom? Jim Allchin? Scott Culp?
>
> Read the GPL through, from start to finish, just
> once. Then tell me if
> you still think that. It's no more going to infect
> your code than gcc or
> gdb is. Which is not at all.
>
> >
> > Just a word of warning !
> >
> Yeah, and they'll erase all the data on your hard
> drive, redirect your
> dialup to Uzbekistan and sleep with your wife.
>
> The most dangerous and destructive Source Code
> Analysers Yet! Forward
> this to everyone in your address book!
>
> I don't know for sure but I got this from a lawyer
> and it sounds legit!
>
> Furrfu.
>
> > --- "Wall, Kevin" <Kevin.Wallqwest.com> wrote:
> > > > Also does anyone want to share a good basic
> > > > methodology for a security source code review
> ?
> > >
> > > Not a methodology, but I'll provide you with
> step 1
> > > (or at least what should be one of the very
> early
> > > tests)...
> > >
> > > 1) Where possible, prior to code inspection,
> run
> > > the source
> > > code through a static analysis vulnerability
> > > detector such
> > > as RATS, ITS4, or Flawfinder. Then either
> clean
> > > up /correct
> > > the items that the tool finds or make
> the
> > > findings available
> > > to the inspection team.
> > >
> > > I think that this is the best approach because
> tools
> > > can find these
> > > well-known vulnerabilities faster and with more
> > > consistency than
> > > humans. For example, in the same way, you want
> the
> > > code you are
> > > inspecting to be compilable. You don't want
> humans
> > > have to look
> > > for syntax errors (unless you are a fan of
> Harlan
> > > Mills Clean Room
> > > Engineering approach) since compilers do this so
> > > much more efficiently.
> > >
> > > -kevin
> > > ---
> > > Kevin W. Wall Qwest Communications
> International,
> > > Inc.
> > > Kevin.Wallqwest.com Phone: 614.932.5542
> > > "Wipe Info uses hexadecimal values to wipe
> files.
> > > This provides more
> > > security than wiping with decimal values."
> > > -- Norton System Works 2002 manual, pg 160
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Send FREE video emails in Yahoo! Mail!
> > http://promo.yahoo.com/videomail/

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]