[15949] in bugtraq
Re: Chasing bugs / vulnerabilties
daemon@ATHENA.MIT.EDU (Kurt Seifried)
Tue Jul 25 15:24:46 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <001501bff5d3$a1d293e0$6900030a@seifried.org>
Date: Mon, 24 Jul 2000 18:59:48 -0600
Reply-To: Kurt Seifried <listuser@seifried.org>
From: Kurt Seifried <listuser@seifried.org>
X-To: Michael S Hines <mshines@PURDUE.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Amen.
[snipsnip]
> Both white box (known source and specifications) and black box (using
> documetation for software without knowing the internals) testing should be
> carried out - by individuals separate and apart from the coders.
>
> Try the UNIX Fuzz experiment, first conducted at the University of
Wisconsin
> on multiple UNIX operating systems and when tried again several years
later
> revealed only slightly better results (the Fuzz experiment throws garbage
> input on the command line into a program and tests the response). We
> (check out
> http://www.cerias.purdue.edu/coast/ms_penetration_testing/v11.html) tried
> the same experiment on WinNT with 'interesting' results.
Fuzz for Linux:
http://fuzz.sourceforge.net/
Secure programming documentation and software (several links).
http://www.securityportal.com/lskb/articles/kben10000082.html
ITS4
http://www.rstcorp.com/its4/
SLINT
http://www.l0pht.com/products.html#SLINT
> Michael S Hines, CISA,CIA,CFE,CDP | Phone 765.494.5338
Kurt Seifried
SecurityPortal, your focal point for security on the net
http://www.securityportal.com/
