Hey there,
If you couldn't insert ignore directives, many people
wouldn't use such tools at all, and would release code with
vulnerabilities that WOULD be found by such tools.
Of course, much like an IDS, you have to find the baseline and adjust your
ruleset according to the norm, if it
Hey all,
1) the original author of the defect thought that s/he was
doing things correctly in using strncpy (vs. strcpy).
2) the original author had apparently been doing static
source analysis using David Wheeler's Flawfinder tool, as we
can tell from the comments.
This is humorous,
For many shops, having another type of firewall could cost
millions whereas putting tools in the hands of developers may
actually be cheaper. We as a community may be better served
by encouraging application firewalls and letting the
financial model for complying work in our favor...
I
We are having a good thread going on fuzzing, commercial tools, etc. on the
fuzzing list. This is a large forward but I thought some of you might want
to weigh in, or at least take a look at the thread.
JS
Hello all,
Although we at Codenomicon do not fuzz in the true meaning of the word
(that
RATS will do PHP as well there is a plugin for Eclipse that will do static
analysis on PHP code which is called Pixy. The next step would be to
investigate some of the tools from SPI Dynamics, a few of them are black-box
but if you combine some black-box testing with some static analysis, add
some
In my personal experience with web app testing, I have found that web
fuzzers are not nearly as useful as fuzzers used for applications, and more
specifically I have found numerous bugs doing direct API fuzzing. In the
case of testing web applications I find that using something like
SpiDynamics