http://codesearch0day.appspot.com/
On Mar 16, 2010, at 11:41 AM, Matt Parsons wrote:
Hello,
I am working on a software security blog and I am trying to find
open source vulnerabilities to present and share. Does anyone else
have any open source vulnerabilities that they could share and
This doesn't feel like responsible disclosure and is not the way to
announce weaknesses in software. It is best to deal with scenarios that
have already been addressed.
From: sc-l-boun...@securecoding.org
[mailto:sc-l-boun...@securecoding.org] On Behalf Of Matt
Matt,
You can find quite a list of OSS vulnerabilities over an CVE (cve.mitre.org)
or NVD (nvd.nist.gov), but here are a couple ones that I tend to use for
illustrative purposes when teaching.
- Apache Chunked Encoding vuln (#CVE-2002-0392), an integer overflow. Of
particular interest because
I am not suggesting exposing zero days. I only want known vulnerabilities
in applications like web goat etc that are known to everyone. I don't even
plan on naming where each vulnerability comes from but rather instead change
the code to protect the innocent. I would never encourage promoting
I have been a programmer and a security analyst for a few years now. When
I first started developers told me I didn't know how to code good enough and
CISSP's told me I didn't have enough security experience. Has anyone had
any success training CISSP's and non programmers how to write code
At the OWASP Open Review project we run Fortify scans for open source project
maintainers. There is some summary information on the main page, but the
actual detailed scan info is only available to the project maintainers.
(Echoing James McGovern's concerns we didn't want it to end up being
Hi,
Regarding training non-developers to write secure code, what are the
circumstances that a non-developer would create code that would
*require* security? I am assuming that system administrators know the
basics of their trade and scripting language of choice so security there
is taken care of