[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: RFC: Performing code security audits before releases...
From: Dawit Alemayehu <adawit () kde ! org>
Date: 2002-02-25 7:10:03
[Download RAW message or body]
Hello,
I want to begin a discussion on performing proactive security audits of the our \
codebase before each release. I am by no means a security expert, but some of the \
common security problems like buffer overruns/overflows can be checked and tested \
for with minimal effort using tools like RATS. This way our code is at least checked \
for some of these common flaws in software design. No matter the tool or the effort \
put forth we cannot obviously catch all such problem, but that does not mean we \
should not attempt to find the ones we can.
For starters I generated and attached below a report for the entire kdelibs directory \
using RATS (http://www.securesw.com/rats/). Perhaps using the lessons we learn from \
using tools like this we can write a HOWTO article or create methods to avoid the \
pitfalls. I encourage everyone who is responsible for some piece of code in kdelibs \
to go through the report and see if there is anything they need to fix based on it. \
I personally plan to go through the entire report and verify things. If I come \
accross something questionable, I will send email to author(s) listed in the source \
code. Please note that the report is not necessarily correct all the time. It will \
have false positives where the code is being reported as being a potential problem \
when in actuality it might not be.
Hopefully this will start good discussion about code security in general and along \
with the memory profiling tool (valgrind) make KDE even much better than it current \
is. In the future I would love to see a period (perhaps few days) built into the \
release schedule for performing such audits in the future.
Regards,
Dawit A.
["kdelibs-audit.gz" (application/x-gzip)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic