From: Dan Catalin Vasile (hardware_cta@yahoo.com)
Date: Wed Sep 13 2006 - 06:46:16 EDT
Hi Ben,
You can contribute to open source projects like RATS.
You will have a lot of benefits from this, including a
good CV. And also, we will have (hopefuly) better
software to analize source code :).
Have secure fun,
Dan
--- Ben Hall <ben2004uk@googlemail.com> wrote:
> Hello all,
>
> been watching this conversation closely as it is
> hugely relevant to me
> at the moment.
>
> I am just about to enter my final year of
> University, and I was hoping
> to create a static source code analyser for ASP.net
> applications......I thought it was a good idea,
> however after reading
> this I am starting to think otherwise, and maybe
> there could be better
> uses of the opportunity to complete a large project.
>
> Does anyone have any advice? I want to do a project
> involving
> security and .net. I've been recommend to do a
> application to edit
> the http request - like WebScarab however this has
> been done many
> times, and doesn't represent anything 'new' and
> while source code
> auditors aren't new, they are less readily available
> as open source
> software. This still is an option I might look
> into, and taking it
> off on a tangent some how, and doing more of a full
> pen-test
> application.
>
> I welcome anyones advice.
>
> Thank you
>
> Ben
>
>
> On 13/09/06, Stefano Zanero <zanero@elet.polimi.it>
> wrote:
> > Hi Kish,
> >
> > I realize I've been a bit too cryptic in my
> answer:
> >
> > > Stefano :), you must see Security Forest's page
> which
> > > says RATS can audit C,C++,Perl,PHP & Python
> source
> > >
>
code.(http://www.securityforest.com/wiki/index.php/Category:Source_Code_Scanners)
> >
> > Yes, RATS _can_ audit PHP source. What I was
> referring to is that web
> > app vulnerabilities have a different structure
> than the vulnerabilities
> > you commonly audit C source code for.
> >
> > For instance, you can detect candidates for buffer
> overflow (along with
> > a bunch of false positives) through simple regexp
> pattern matching. It's
> > way more difficult to detect with few false
> positives candidates for SQL
> > injection.
> >
> > The fact that RATS is able to handle PHP code is
> not a synonym to the
> > fact that it can handle web-app vulnerabilities.
> >
> > Stefano
> >
> >
>
------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download
> Hailstorm for FREE.
> >
>
http://www.cenzic.com/products_services/download_hailstorm.php
> >
>
------------------------------------------------------------------------
> >
> >
>
>
------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download
> Hailstorm for FREE.
>
http://www.cenzic.com/products_services/download_hailstorm.php
>
------------------------------------------------------------------------
>
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:56 EDT