Home » Blogs » ponies's blog

Many eyes are better than one?

Fri, 06/18/2010 - 01:34 by ponies  

I was reading my twitter feed and read this quote

`…there is no reason to believe that the many eyes inspecting (open) source code would be successful in identifying bugs that allow system security to be compromised…' – Michael Warfield.

I couldn’t disagree more. But instead of writing some blog post or some rant on script kiddies, I decided to do something about it.

So I started to research and look into why this information is not wildly available. There have been plenty of others who have attempted to do this in one manner or another. http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis

How about academic papers? I found Fortify Co-Founder/Chief Scientist Brian Chess’s Ph.D. dissertation. Quite an entertaining read. http://portal.acm.org/author_page.cfm?id=81100545071&coll=GUIDE&dl=GUIDE... One could assume it was the paper which launched the whitehat/compliance world of static/dynamic source code analysis.

As expected, the idea of static source code analysis isn’t new. But how about the unique application of using free and highly available tools to find low hanging fruit? This goes to Aaron Campbell. On behalf of Arbor Networks, he wrote a great blog post summarizing the first phase of my project. Succinctly put, the technique is using poor secure programming practices and Google Hacking code repositories.

Over the coming weeks, I’m going to build upon Aaron Campbell’s work to incrementally release tools, metrics, and analytical sites. I do not have illusions of grandeur. I do not plan on these tools and sites to replace multi-million dollar companies and their products/services. These tools and sites will enable one to perform rudimentary static source analysis on the cheap (as in free.) The plans are to start off with one or two support languages (email ponies@mayhemiclabs.com to request a language), then expand into other languages as requests dictate.

To hold others over until then, via Aaron Campbell, http://www.google.com/codesearch?q=^[\+\t]*printf\(getenv&hl=en&btnG=Search+Code

PS: For the one person I promised to write about Caja challenges and issues: I regretfully apologize. I’m currently under NDA until issues have been resolved.

»