“Auditing code is a major part of any software project, since
for some reason people have a tendency to write code with security
problems. Most projects take a reactive position, fixing problems
as they come to light (oftentimes after someone finds exploit code
floating around). Some projects, like OpenBSD, take an extremely
proactive stance. For example, format string attacks have become
fashionable in the last few months, and the OpenBSD team has done
an extensive audit of their source code, fixing many problems for
the upcoming 2.8 release. In any event, auditing code manually
takes a large amount of effort and some degree of expertise. You
must understand secure programming techniques, and you must
understand the software you are auditing.”
“Enter the automated software auditing tools. To be honest,
there’s really only one that’s worth using: ITS4 (It’s The Software
Stupid) by Cigital (formerly Reliable Software Technologies). Some
people will argue that these automated tools are not as
comprehensive or as safe as a good manual code audit, and they are
generally correct. However, an automated code audit is much
better than no code audit, especially with a reasonably advanced
tool such as ITS4, which will catch many of the common problems
that have resulted in root exploits. The following is an interview
with John Viega, author of ITS4.“