On 21 March 2012 13:55, Jeffrey Walton <noloa...@gmail.com> wrote:

> On Fri, Mar 16, 2012 at 12:50 PM, Paolo Perego <thesp0...@gmail.com>
> wrote:
> > If you would like to add it on your feed, it would be great.
> For the love of <higher power>, please discuss the tool chain's static
> analysis capabilities, and suggest a clean compile as a security gate
> (gcc: -Wall -Wextra -Wconversion).
Hi Jeff, thanks for the suggestion... I was arguing if there were people
interested in plain old school security applied to non web application.
Of course I'll cover static analysis and how to use compilers and
interpreters to spot security bugs...
I think some posts to recap what a buffer overflow or format bug
vulnerabilities are can be useful, what do you think about it? Does it make

>From my experience, its nearly impossible to 'quick audit' a GNU
> project. Entering `make CFLAGS="-Wall -Wextra -Wconversion ..." causes
> so much output its difficult to locate/triage issues.
It is... in this case, some grep command lines are more useful but it's a
very interesting topic to go deeper.

> You will be swimming against the tide with some of the l33t k3rn3l
> hack3rz: "Gcc is crap" [1].
 All assumptions about how perfect are compilers or interpreters go to
/dev/null. Software is written by humans, so all software is bugged by
definition. All checks are necessary .


"... static analysis is fun, again!"

life from an application security guy ~> http://armoredcode.com
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates

Reply via email to