Monday, January 8, 2007

Secure coding (and 'Vulnerability Pimps')

Application security is one of my favorite areas, and as a result, secure coding techniques, and source code review. Marcus Ranum, he of the firewall fame, recently wrote an article about running an automated source code analyzer against Firewall Toolkit.

As he says in the footnote,

The Firewall Toolkit later became the core of the TIS Gauntlet firewall. For a few years after its release, the FWTK code-base was at the center of more than half of the firewalls on the Internet.
And the code had been reviewed/worked on by many people, but some security issues, including one buffer overflow, was left undiscovered in the code. Lesson? If you have a large codebase, you need to run a software like Fortify to find the quick hits that would be otherwise buried in the code.

In the same article, Ranum created a new term: Vulnerability Pimps. These are the so-called security researchers who attempt to discover flaws just to gain fame.