Subject: Re: ITS4 Program
To: Dave Burgess <burgess@nms.omaha.mitre.org>
From: David Brownlee <abs@netbsd.org>
List: current-users
Date: 02/22/2000 17:41:09
	Any chance of a package? :)


		David/absolute

On Tue, 22 Feb 2000, Dave Burgess wrote:

> Hola,
> 
> I was cruising around on the Internet and came across a really interesting
> program.  It's a source code security scanner that can be extended through
> the use of an exploits database.  I ran it against the /bin/sh source
> and it identified several 'risky' issues that we may or may not have 
> previously identified.  I'm giving some thought to running against the
> entire -current /usr/src/*bin* directory tree and see what it says.
> 
> Obviously, the raw output would be overwhelming (as well as incredibly
> noisy) but it might find some interesting things we haven't found in the
> past.  Combined with lint, this could be a good double check for the
> NetBSD source code tree.
> 
> The program, for anyone else that's interested, is in
> http://www.rstcorp.com/its4/
> 
> It's available for free to non-commercial use (I think, check the web
> site to find out for sure) but the source code is available and it
> compiles without a hitch on NetBSD-current.
> 
> Dave Burgess
>