Hmm.
Time to no longer use flawfinder, RATS, and ITS4. Throw them out and get a
real tool.
I cover this in gory detail in chapter 5 of Software Security. There's a
pretty nice treatment of the history of these tools and the evolution of
technology there.
gem
www.swsec.com
www.cigital.com/~g
-Original Message-
>From: Crispin Cowan [mailto:[EMAIL PROTECTED]
>
>Gavin, Michael wrote:
>> Yeah, statistics can allow you to say and "prove" just about
anything.
>>
>> OK, showing my ignorance here, since I haven't checked out any of the
>> LAMP source trees and reviewed the code: how m
Gavin, Michael wrote:
> Yeah, statistics can allow you to say and "prove" just about anything.
>
> OK, showing my ignorance here, since I haven't checked out any of the
> LAMP source trees and reviewed the code: how much of the code making up
> those modules is written in scripting languages vs. ho
Absolutely right. Spot on.
gem
-Original Message-
From: Jeff Williams [mailto:[EMAIL PROTECTED]
Sent: Tue Mar 07 14:46:54 2006
To: 'Gavin, Michael'; 'Jeremy Epstein'; 'Kenneth R. van Wyk'; 'Secure
Coding Mailing List'
Subject:RE: [SC-L] ZDNET: LAMP lights the way in ope
I'm a strong advocate of static analysis, but drawing conclusions about
overall security based only on these tools is just silly. Even ignoring the
scripting language problem, these tools simply aren't even looking for many
of the types of problems that cause the most serious risks. They're great
Yeah, statistics can allow you to say and "prove" just about anything.
OK, showing my ignorance here, since I haven't checked out any of the
LAMP source trees and reviewed the code: how much of the code making up
those modules is written in scripting languages vs. how much of it is
written in C, C
All of which proves that there are lies, damn lies, and statistics (the
statistic being the lower bug density, which ignores the most potentially
vulnerable parts of the system).
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Gavin, Michael
> Sent
The Coverity product (Coverity Prevent) is a static source code analysis
tool for C and C++, see
http://www.coverity.com/library/pdf/coverity_prevent.pdf.
It isn't actually scanning (or if it is, it isn't analyzing) any of the
scripting code, as far I as can tell.
Michael
-Original Message--
Interesting article out on ZDNet today:
http://www.zdnetasia.com/news/security/0,39044215,39315781,00.htm
The article refers to the US government sponsored study being done by Stanford
University,
Symantec, and Coverity. It says, "The so-called LAMP stack of open-source
software has a
lower bu