From owner-freebsd-audit Tue Feb 22 11:49:34 2000 Delivered-To: freebsd-audit@freebsd.org Received: from alcanet.com.au (mail.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 0F87137B705 for ; Tue, 22 Feb 2000 11:49:30 -0800 (PST) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <115215>; Wed, 23 Feb 2000 06:50:08 +1100 Content-return: prohibited From: Peter Jeremy Subject: Software security scanner To: freebsd-audit@FreeBSD.ORG Message-Id: <00Feb23.065008est.115215@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0i Content-type: text/plain; charset=us-ascii Date: Wed, 23 Feb 2000 06:50:07 +1100 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Since no-one else has mentioned it here (but we all read RISKS don't we)... RISKS 20.81 mentions a new software security scanner called ITS4: >[It's] a command-line tool for statically scanning C and C++ >source code for security vulnerabilities. The tool is called ITS4. ITS4 >scans through source code for potentially dangerous function calls that are >stored in a database. Anything that is in the database gets flagged. ITS4 >tries to automate a lot of the grepping usually done by hand when performing >security audits. > >The tool is available from: http://www.rstcorp.com/its4/ >Also on this site is a research paper on ITS4 submitted to this year's >Usenix Security conference. > >ITS4 is open source software. The license puts some minor restrictions on >commercial use. In essence, you can't use this tool to make money (such as >by reselling it, or by using it in a consulting practice). However, you are >encouraged to run the tool on your own product in order to make it better. It sounds like a useful tool to find the bits of code that need to be studied in depth. Has anyone looked at it? Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message