Re: [SC-L] Interesting tidbit in iDefense Security Advisory 06.26.07

2007-06-28 Thread J. M. Seitz
Hey there, If you couldn't insert ignore directives, many people wouldn't use such tools at all, and would release code with vulnerabilities that WOULD be found by such tools. Of course, much like an IDS, you have to find the baseline and adjust your ruleset according to the norm, if it

Re: [SC-L] Interesting tidbit in iDefense Security Advisory 06.26.07

2007-06-26 Thread J. M. Seitz
Hey all, 1) the original author of the defect thought that s/he was doing things correctly in using strncpy (vs. strcpy). 2) the original author had apparently been doing static source analysis using David Wheeler's Flawfinder tool, as we can tell from the comments. This is humorous,

Re: [SC-L] Darkreading: compliance

2007-04-04 Thread J. M. Seitz
For many shops, having another type of firewall could cost millions whereas putting tools in the hands of developers may actually be cheaper. We as a community may be better served by encouraging application firewalls and letting the financial model for complying work in our favor... I

[SC-L] [fuzzing] MoKB take?

2007-03-22 Thread J. M. Seitz
We are having a good thread going on fuzzing, commercial tools, etc. on the fuzzing list. This is a large forward but I thought some of you might want to weigh in, or at least take a look at the thread. JS Hello all, Although we at Codenomicon do not fuzz in the true meaning of the word (that

Re: [SC-L] statical analysis tools: language supports...

2007-03-21 Thread J. M. Seitz
RATS will do PHP as well there is a plugin for Eclipse that will do static analysis on PHP code which is called Pixy. The next step would be to investigate some of the tools from SPI Dynamics, a few of them are black-box but if you combine some black-box testing with some static analysis, add some

Re: [SC-L] Dark Reading - Desktop Security - Here Comes the (Web) Fuzz- Security News Analysis

2007-02-27 Thread J. M. Seitz
In my personal experience with web app testing, I have found that web fuzzers are not nearly as useful as fuzzers used for applications, and more specifically I have found numerous bugs doing direct API fuzzing. In the case of testing web applications I find that using something like SpiDynamics