Some people beg for money. We beg for code reviews and audits.
If you have the skills to review the code for bugs, please, please do. Finding security vulnerabilities is top priority, but any bugs you find are important. Any significant software project is likely to have plenty of bugs until it gets extensive field testing and peer review, including security audits.
Security software has a special challenge. Often bad guys want to plant backdoors and trojans in the code. Although it's certainly possible that someone has cracked our systems to do this, ordinary bugs are a bigger risk. The bad guys usually try to make their attacks look like bugs anyway, so either way the solutions are usually the same.
The developers review the code constantly, of course, but that's not enough. Please help. If you only have time to look at one class, or one part of the design, or even just a few lines, that's still great. Even a quick comment like "Not enough input checking" can help. You'll be a Tiger Tamer and get credit right along with the developers. If you prefer to stay private, anonymous reports are fine.
We tend to do static testing of the code only at the beginning of a release cycle. You can do it any time. Run findbugs with "ant -f test.xml findbugs", or PMD using a customized rule set with "ant -f test.xml pmd". When we disagree with a static checker there should be a comment in the code saying why. Coverage isn't great yet, so the existing tests mostly focus on application level testing. Findbugs does a good job of finding many security bugs, but if anyone hears of an open source security checker for Java like Flawfinder for C, please let us know.
Please don't blindly trust that code does what it says it does. "If you fail to test, it will fail to work." Junit tests are especially valuable because anyone can run them to verify something hasn't slipped in. There are already tests for the major functions, but many assumptions are still unchecked. The test code itself must be reviewed by hand.
It's a big job, and to be effective a lot of it has to be done by someone other than the developers. Please help anywhere you can:
- Write and run static and dynamic tests
- Review design
- Review code, particularly test code
- Penetration testing of your system
- Bask in the warm golden glow of being a Tiger Tamer
We all talk about how important code reviews and security audits are, but almost no one actually does them. Even a few minutes helps. Thank you for any time you can spare.
Copyright © 2005-2007 Tiger Privacy