Using Google Code Search to Find Security Bugs
by Nitesh Dhanjani
Reviewing software for security bugs is a highly recommended best practice. There are various techniques for doing source code reviews, one of them being "static code analysis" which (in most cases) involves the use of a 'grepping' (pattern matching) tool along with a database of patterns that indicate potential security flaws. There are disadvantages to static code analysis: high rate of false positives and the inability to detect logic errors that may lead to security bugs. That said, static code analysis tools can be used to perform a quick first pass on the source code to detect bugs that can be easily identified by a grepping technique ("low hanging fruit"). Some of the free static code analyzers (security) are: Flawfinder, RATS, and SWAAT.
|Interesting post. Good to see some examples how Google code search can be used to scan Open Source software for security issues and thus make it more secure.|
...am i the only one that went searching for hidden messages and jokes in the code?
|Code analysis via search engine - security, and finding NetBSD code in other projects|