Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL
Help

Chapter 1. Introduction to Vulnerability... > Finding Bugs and Vulnerabilities

Finding Bugs and Vulnerabilities

Given the multitudinous ways programmers can make mistakes, looking for bugs and vulnerabilities in a piece of software should be an integral part of the development process. Until recently, that has not been the case—a software product is released without any security testing, and it was left up to independent security researchers to find the errors and report them to the vendor for repair. Now, most software faces some kind of security review prior to its release, and many vendors now consider security from the onset of the development project, as is the case with Microsoft’s Secure Development Process. But testing the security of a particular product can be an expensive proposition, and vendors must weight that expense with the other cost factors involved in releasing the product to its customers. Because of this, even software developed in an environment stringently cognizant of security risks is most likely released without full testing. Once again, the burden of testing falls upon security researchers. Fortunately, security researchers have a vast array of tools and techniques to locate bugs and vulnerabilities.

Source Code Review

An effective way to find vulnerabilities in software for which the source code is available (such as with open-source software) is manual code review. For example, a researcher may search the source code for instances of the strcpy function mentioned earlier, examining each portion of code that uses that function to make sure the function will respect the bounds of the program. While this will show all cases where strcpy is improperly used, it will not show cases where a programmer uses a similar technique or function to accomplish the same results.


  

You are currently reading a PREVIEW of this book.

                                                                                                                    

Get instant access to over $1 million worth of books and videos.

  

Start a Free Trial


  
  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint