On Wed, Jun 02, 2004 at 04:22:26PM +0100, Steve Kemp wrote:
> On Tue, Jun 01, 2004 at 11:47:04AM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
> Content-Description: ebian-audit_at_shellcode.org
>
> > - The pages are difficult to find if starting from the index (in order to
> > get to the tools page I had to go Index->FAQ->Auditing Overview->Tools
(...)
>
> One thing that is still missing is a guide to using each of the tools
> on a piece of sample code. That was almost ready but I've held of
> committing it now that there is a new release of flawfinder.
>
> I agree that in general the pages are a little mazy, that's partly
> due to their relative newness and partly because I'm not sure how to
> create a good menubar - I don't want the pages to look too different
> from the rest of the Debian pages.
For a sample menu style:
- http://www.debian.org/devel/ (a single menu, no content)
- http://www.debian.org/doc/ (a menu + some content)
If there are several subsections it might be worth having a header similar
to the one in /doc linking to those subsections (in different pages or
within the same page) and put an intro to the project just after the
header.
> > - I disgress regarding the recommendation to _not_ use the BTS. IT might
> > make sense to use the BTS when reporting bugs related to versions that are
> > not present on unstable and don't require a DSA themselves. For example
> > consider #249613.
> > [Note: I'm not really an example on how to do this since I should have
> > reported #249616 to the Security Team first]
>
> I was specifically asked not to report security bugs via the BTS by
> mdz, and since then I have not done so. However there is a section in
> the manual which specifically allows some security bugs to be reported
> in this way, from memory it says they may reported either if the bug is
> already public knowlege, or if it involves something "simple" like a
> symlink attack.
Did mdz refer to _all_ security bugs or just security bugs that do not
affect stable? I don't see why a bug in a package in sarge/sid which is not
yet released (for example, it is not present in stable or the code affected
is not present in the stable version) could not be reported in the BTS.
> > - A list of common bugs found and pointers on how to fix them?
> > For example: race conditions, buffer overflows...
>
> This is already present in my pages in the enhanced tools page,
> basically I show a piece of code and then run that through each of the
> source code scanners walking through the output.
Great.
>
> There are also links to the Secure Programming HOWTO for more
> information on closing things securely.
Great. I'm eager to read that (but I'll have to finish "Secure Coding,
principles and practices" first, BTW, it might be worthwhile pointing to
some books, for example:
- "Secure Coding: Principles and Practices" by Mark G. Graff, Kenneth R.
Van Wyk, ISBN-0596002424
http://www.amazon.com/exec/obidos/tg/detail/-/0596002424/qid=1086191803/sr=8-1/ref=sr_8_xs_ap_i1_xgl14/103-3161784-7469442?v=glance&s=books&n=507846
- "Practical UNIX and Internet Security" by Gene Spafford, Simson
Garfinkel, Alan Schwartz, ISBN-0596003234
http://www.amazon.com/exec/obidos/tg/detail/-/0596003234/qid=1086191860/sr=1-1/ref=sr_1_1/103-3161784-7469442?v=glance&s=books
I have the second edition of the second one in my possesion (a must read),
and I'm currently reading the first one (which is pretty good IMHO)
Regards,
Javier