Friday, March 24, 2006

Source Code Security Vulnerability Scanners

In last few weeks I attended lots of web cast and seminars regarding security. Also served different companies in different positions and roles. Its my observation companies are trying hard to protect their assets and get compliant so that they will not be target for hackers or so. Every one talks allot abt Network security , Application security , and so on . All those people talks abt big words like SQL injection , Buffer overflow, Format string vulnerabilities. But what these actually are and what precaution we have to take to get away from these is missing . I talked allot abt security with different vendors and finally found that only information which is coming to me is for Firewalls , IDS ; VPN , network audits , procedure audits and so . These things are essential but I was asking abt the complete security solutiuon no one highlited abt that we can also supress bugs related to these vulnaribilities at the time of devlopment too. Above aspects are most common and trust every guy working in security knows too. Hence net out come is that all vendors are trying to sell product not solutions.
Lots of well know bugs are present in already deployed software so ist essential to pretect them but what ever is going to be future please concentrate on that too. I worked with highly qualified test engineers they all talk abt the big testing software like Jtest, Robo J etc . But man where is mechanism which will tell u that the developers are generating an secure codes against the well know vulnerabilities. I know by this time this article seems boring to u . But this is the fact . Very few people know that their are automated tool present in market with the help of which you can suppress the mistakes already done earlier means vulnerability.
These automated tools do the audit on the principle of know mistakes or signature. For example if I am saying that buffer overflow vulnerability means their is improper usage of gets() , scanf(), sprint (), strcat (), strcp () function calls. Definitely these function call are required but some time by mistakes its not properly used which generate different kind of vulnerabilities. As per one survey their is 10000 + know vulnerabilities present and trust almost 50% of this figure is also analyzed by experts to know the patterns which commonly come to create vulnerabilities. So these automated audit tools match ur codes against these know patterns and if it find matching pattern of strings then it will give an alert for potential vulnerabilities. Some of the known audit tools are described below.

Automated Source Code Security Vulnerability Scanners
There are intelligent tools available to help you examine large amounts of source code for security vulnerabilities.

Flawfinder
Examines source code and reports possible security vulnerabilities
RATS from Secure Software Solutions
Scans C, C++, PERL, PHP and Python source code for potential security vulnerabilities.
ITS4 from Cigital
Scans source code looking for potentially vulnerable function calls and preforms source code analysis to determine the level of risk
PScan
A limited problem scanner for C source files
BOON
Buffer Overrun detectiON
MOPS
MOdelchecking Programs for Security properties
Cqual
A tool for adding type qualifiers to C
MC
Meta-Level Compilation
SLAM
Microsoft
ESC/Java
Extended Static Checking for Java
Splint
Secure Programming Lint
MOPED
A Model-Checker for Pushdown Systems
JCAVE
JavaCard Applet Verification Environment
The Boop Toolkit
Utilizes abstraction and refinement to determine the reachability of program points in a C program
Blast
Berkeley Lazy Abstraction Software Verification Tool
Uno
Simple tool for source code analysis
PMD
Scans Java source code and looks for potential problems
C++ Test
Unit testing and static analysis tool

Monday, March 20, 2006

Subhash and his wife



Demo , Me and Ramesh


Mritunjay organizer
Keekar

Its too strange faces
Keekar

Holi in black
Keekar

Bit OK
Keekar
Ravi and Anil
Demo and Lalit
Add caption


So colour full
Keekar

Corina, Stephen, and her friend (Sorry name I forgot again)

Wednesday, March 15, 2006

Decisive Dilemma

Some time very silly things itch you a lot. Its not an that much big problem but still you will feel it . That happened to me today . I am in great turmoil and not able to decide what I have to do. One side I have an colleague/friend and other side I have my ethics ideology and my word to fairly known person. Whom should I support . Concern or issue is very materlistic and not having that much sense . But friend said some words which really stressed me too much to think . One side I have a friend who feel and also tell me what all he didn't like in me its very rare to get such friend (specially for me ) approx 80% of society pampers you directly or indirectly. I am just scared that if I will take my decision as per myself he feel hurt or indirectly I am going to spoil my relationship with him. I am in state of perplexity as I have choice between equally unfavorable options.

Although I know my friend is very dice and too much confused and because of that he never owe by his words which I definitely didn't liked. But should I also do same thing for him with others ? Could I do things which I didn't liked ? Then whats the difference between him and me ? I was just thinking all these scrap since from last 4 hrs. But after putting above 6 lines on paper I am more clear and out from my dilemma .

Its really help a person if u write it down in neat an clean paper. Because thoughts are frequently come in your mind and override earlier thought. But if its on paper your analytical brain is able to tell you what's wrong and what's right. So I decided to owe by my words, without fearing abt friend and a relationship with him. Because if he is friend of mine then he is able to understand me and if its not like that then he is not friend of mine he is just an opportunist so why should I bother abt him. And definitely it give lesson to him too; and he could be more aware in future abt such things.

Bye the way why I published it because I fell its very small and common thing (every one face such situation once every month) but certainly its create more stress for a person in his day to day life. Such thing worked for me . But it took lot of time to remove instance and person name from article. Hopefully you are also going to try such solution. Don't forgot to post comment of yours abt my decision. I am looking forward for your help too. I already decided but yes your feedback will be helpful for me in future.

Saturday, March 11, 2006

GPL and Open Source

Recently in one meeting their is an small discussion abt the Open Source Software. Although most of the guys in industry debate on that. Example Open Source is cheap useful so and so . But their is lots of hidden thing in it.

The "classic" licenses, GPL, LGPL, BSD, and MIT, were the most commonly used for open-source software. But what was it . Why should we bother abt it its an open source and free ? Such questions usually comes in 90% of people working in IT Industry.

But boss nothing is free in this word except of your mother love and affection. :)
After Blacberry/RIM case most of the organizations started doing audits on their envoirnment for use of Open source softwares. Have you ever paid attention in GPL publised in most of the Open Source Softwares.

I am able to dig down few of the important facts and questions which u should concerned abt. For your remark enclosed last four lines of GPL
"This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License."

Microsoft calls attention to the implications of the GPL when an individual or organization creates derivative works using GPL-licensed code. Microsoft asserts that the GPL requires the release of both the derivative and original code. According to Microsoft, using GPL-licensed code as a basis for projects forces a company to make all derivative code available to the public, raising the risk that a firm could divulge trade secrets.

However, Microsoft's critique of the GPL ignores the GPL "nonrelease" provision, which states that private or internal use of GPL code in a derivative product does not require a company to release the resulting source code to the public. The GPL comes into play only when GPL code is incorporated into a derivative product that is made available or sold to the public. Any company planning to release software that incorporates GPL-licensed code into a single, unitary product must release the new code under the terms of the GPL.

Microsoft's critique raises the issues of proportionality and fairness; is it reasonable to require the release of a huge amount of new code when only a few lines of GPL-licensed code were incorporated into a new, derivative product? Richard Stallman, the Free Software Foundation's director, responds that companies cannot incorporate Microsoft Word source code into their publicly released products under any circumstances, including under the provisions of Microsoft's "shared source" venture.

The GPL provides an opportunity for developers to contribute to the growing body of freely available, GPL-licensed code, but they are not under any compulsion to do so. Developers that do not wish to contribute to the free software movement should simply refrain from incorporating GPL-licensed code in their products.

The above summary is not intended to serve as legal advice. If you're thinking about using GPL-licensed code in a publicly released derivative product, consult an attorney to ensure that your use of the code conforms to the terms of the GPL.

Friday, March 10, 2006

Result Johri Window

Arena

(known to self and others)

bold, confident, extroverted, independent, knowledgeable

Blind Spot

(known only to others)

able, accepting, adaptable, brave, cheerful, clever, complex, dependable, dignified, energetic, friendly, giving, happy, helpful, idealistic, ingenious, intelligent, introverted, logical, loving, modest, nervous, observant, organised, patient, powerful, proud, quiet, reflective, relaxed, religious, responsive, searching, self-assertive, self-conscious, sensible, sentimental, silly, spontaneous, sympathetic, tense, trustworthy, warm, wise, witty

Façade

(known only to self)

Unknown

(known to nobody)

calm, caring, kind, mature, shy

All Percentages

able (15%) accepting (3%) adaptable (7%) bold (15%) brave (7%) calm (0%) caring (0%) cheerful (11%) clever (3%) complex (3%) confident (11%) dependable (15%) dignified (11%) energetic (3%) extroverted (11%) friendly (38%) giving (7%) happy (11%) helpful (11%) idealistic (7%) independent (11%) ingenious (3%) intelligent (38%) introverted (3%) kind (0%) knowledgeable (23%) logical (7%) loving (7%) mature (0%) modest (3%) nervous (15%) observant (15%) organised (11%) patient (3%) powerful (3%) proud (3%) quiet (15%) reflective (15%) relaxed (15%) religious (7%) responsive (3%) searching (7%) self-assertive (3%) self-conscious (11%) sensible (19%) sentimental (7%) shy (0%) silly (11%) spontaneous (7%) sympathetic (3%) tense (15%) trustworthy (11%) warm (7%) wise (7%) witty (15%)

Created by the Interactive Johari Window on 9.3.2006, using data from 26 respondents.
view Mukesh Kesharwani's full data.