Technology/Security/Society Musings: Secure coding (and 'Vulnerability Pimps')

Monday, January 8, 2007

Secure coding (and 'Vulnerability Pimps')

Application security is one of my favorite areas, and as a result, secure coding techniques, and source code review. Marcus Ranum, he of the firewall fame, recently wrote an article about running an automated source code analyzer against Firewall Toolkit.

As he says in the footnote,

The Firewall Toolkit later became the core of the TIS Gauntlet firewall. For a few years after its release, the FWTK code-base was at the center of more than half of the firewalls on the Internet.

And the code had been reviewed/worked on by many people, but some security issues, including one buffer overflow, was left undiscovered in the code. Lesson? If you have a large codebase, you need to run a software like Fortify to find the quick hits that would be otherwise buried in the code.

In the same article, Ranum created a new term: Vulnerability Pimps. These are the so-called security researchers who attempt to discover flaws just to gain fame.

About Me

My name is Javed Ikbal, and I am the Chief Security Officer at zSquad. I hold the CISSP, CISA and CISM certifications. With 20 years in IT and 10 years in information security, my specialty is building or re-engineering information security programs. I've held Chief Information Security Officer positions at multi-billion-dollar corporations, and now with zSquad, I help out other businesses.

I am also the co-founder of The Layoff Support Network (LSN), my pay-it-forward effort to help people during these tough economic times

Technology/Security/Society Musings

Monday, January 8, 2007

Secure coding (and 'Vulnerability Pimps')

0 comments:

Search this Blog

About Me

Labels

Blog Archive