Security Portal: Auditing CodeOct 27, 2000, 06:48 (0 Talkback[s])
(Other stories by Kurt Seifried)
"Auditing code is a major part of any software project, since for some reason people have a tendency to write code with security problems. Most projects take a reactive position, fixing problems as they come to light (oftentimes after someone finds exploit code floating around). Some projects, like OpenBSD, take an extremely proactive stance. For example, format string attacks have become fashionable in the last few months, and the OpenBSD team has done an extensive audit of their source code, fixing many problems for the upcoming 2.8 release. In any event, auditing code manually takes a large amount of effort and some degree of expertise. You must understand secure programming techniques, and you must understand the software you are auditing."
"Enter the automated software auditing tools. To be honest, there's really only one that's worth using: ITS4 (It's The Software Stupid) by Cigital (formerly Reliable Software Technologies). Some people will argue that these automated tools are not as comprehensive or as safe as a good manual code audit, and they are generally correct. However, an automated code audit is much better than no code audit, especially with a reasonably advanced tool such as ITS4, which will catch many of the common problems that have resulted in root exploits. The following is an interview with John Viega, author of ITS4."