* Corey Bryant (cor...@linux.vnet.ibm.com) wrote: > Count me in for step 2. A good approach may be to run a static > analysis tool against the code, followed by a manual scan of the > code for common vulnerabilities that static analysis can't find.
Good idea. Folks are already running things like Coverity. The false positive rate is high enough that it's a lot to wade through at first (so extra eyes could be quite helpful here). Perhaps the people who are involved in this could share some of their findings. thanks, -chris