Gary McGraw wrote:
Hi all (especially david),
The story you repeated about ITS4 finding a vulnerability
that can't happen is wrong.
The tool FIST (a fault injection tool for security) which we decribed
in an Oakland paper from 1998 was what you were thinking of.
(FIST was also produced
Crispin Cowan wrote:
I would like to introduce you to my new kick-ass scanning tool. You run
it over your source code, and it only produces a single false-positive
for you to check out. That false positive just happens to be the
complete source code listing for your entire program :)
If you
I'd like to follow up on Brian Chess' comments...
Brian Chess (brian at fortifysoftware dot com) said:
False positives:
Nobody likes dealing with a pile of false positives, and we work hard to
reduce false positives without giving up potentially exploitable
vulnerabilities.
I think everyone