Hey there,
> If you couldn't insert "ignore" directives, many people
> wouldn't use such tools at all, and would release code with
> vulnerabilities that WOULD be found by such tools.
Of course, much like an IDS, you have to find the baseline and adjust your
ruleset according to the norm, if
Hey all,
> 1) the original author of the defect thought that s/he was
> doing things correctly in using strncpy (vs. strcpy).
> 2) the original author had apparently been doing static
> source analysis using David Wheeler's Flawfinder tool, as we
> can tell from the comments.
>
This is humoro
> For many shops, having another type of firewall could cost
> millions whereas putting tools in the hands of developers may
> actually be cheaper. We as a community may be better served
> by encouraging application firewalls and letting the
> financial model for complying work in our favor...
We are having a good thread going on fuzzing, commercial tools, etc. on the
fuzzing list. This is a large forward but I thought some of you might want
to weigh in, or at least take a look at the thread.
JS
Hello all,
Although we at Codenomicon do not "fuzz" in the true meaning of the word
(that
RATS will do PHP as well there is a plugin for Eclipse that will do static
analysis on PHP code which is called Pixy. The next step would be to
investigate some of the tools from SPI Dynamics, a few of them are black-box
but if you combine some black-box testing with some static analysis, add
some
Always a great debate, I somewhat agree with Marcus, there are plenty of
"pimps" out there looking for fame, and there are definitely a lot of them
(us) that are working behind the scenes, taking the time to help the vendors
and to stay somewhat out of the limelight. The ying-yang is very fitting.
In my personal experience with web app testing, I have found that web
fuzzers are not nearly as useful as fuzzers used for applications, and more
specifically I have found numerous bugs doing direct API fuzzing. In the
case of testing web applications I find that using something like
SpiDynamics to
This is great, and something I have incorporated into our own cycle
previously, as carving out a spot on our team as the "security engineer"
didn't seem to work. But by creating a process for including security
testing, abuse cases, etc. I was able to incorporate security without a big
hit to the t
Once again though, using security-oriented constructs requires that the
developers use them and use them correctly. Static code analysis tools (like
Fortify) aren't after-the-fact, they should be inline during the process of
development. If you can create a development process and environment of
se
Yeah I can personally attest to that, after spending a few months on the
OSVDB as a mangler and developer, I quickly realized that the bevy of
vulnerabilities we worked on everyday were primarily PHP based. Now granted
setting "register_globals off" (which essentially prevents a user from
overwrit
10 matches
Mail list logo