Using Google Code Search to Find Security Bugs

by Nitesh Dhanjani

codesearch_logo.gif

Reviewing software for security bugs is a highly recommended best practice. There are various techniques for doing source code reviews, one of them being "static code analysis" which (in most cases) involves the use of a 'grepping' (pattern matching) tool along with a database of patterns that indicate potential security flaws. There are disadvantages to static code analysis: high rate of false positives and the inability to detect logic errors that may lead to security bugs. That said, static code analysis tools can be used to perform a quick first pass on the source code to detect bugs that can be easily identified by a grepping technique ("low hanging fruit"). Some of the free static code analyzers (security) are: Flawfinder, RATS, and SWAAT.

4 Comments

yaph
2006-10-12 03:01:23
Interesting post. Good to see some examples how Google code search can be used to scan Open Source software for security issues and thus make it more secure.
cy landers
2006-10-12 06:36:39
...am i the only one that went searching for hidden messages and jokes in the code?


speaking of google, here's a fun mashup -- http://blog.fortiusone.com/2006/10/11/heat-maps-for-google-maps-aka-geoiq-mashup they're using it to track heat patterns from traffic, pretty interesting stuff.

Matthew Sporleder
2006-10-12 10:03:38
Code analysis via search engine - security, and finding NetBSD code in other projects
hary
2007-07-03 16:02:45
Hi all,


Today I read one story related to this one at:


Security CENTRAL Forum


http://www.SCForum.info