Date: Wed, 23 Feb 2000 06:50:07 +1100 From: Peter Jeremy <peter.jeremy@alcatel.com.au> To: freebsd-audit@FreeBSD.ORG Subject: Software security scanner Message-ID: <00Feb23.065008est.115215@border.alcanet.com.au>
next in thread | raw e-mail | index | archive | help
Since no-one else has mentioned it here (but we all read RISKS don't we)... RISKS 20.81 mentions a new software security scanner called ITS4: >[It's] a command-line tool for statically scanning C and C++ >source code for security vulnerabilities. The tool is called ITS4. ITS4 >scans through source code for potentially dangerous function calls that are >stored in a database. Anything that is in the database gets flagged. ITS4 >tries to automate a lot of the grepping usually done by hand when performing >security audits. > >The tool is available from: http://www.rstcorp.com/its4/ >Also on this site is a research paper on ITS4 submitted to this year's >Usenix Security conference. > >ITS4 is open source software. The license puts some minor restrictions on >commercial use. In essence, you can't use this tool to make money (such as >by reselling it, or by using it in a consulting practice). However, you are >encouraged to run the tool on your own product in order to make it better. It sounds like a useful tool to find the bits of code that need to be studied in depth. Has anyone looked at it? Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00Feb23.065008est.115215>