Software security analysis with BogoSec

It may interest some to learn that IBM developerWorks have published an article titled Software security analysis with BogoSec.

"BogoSec is a source code metric tool that wraps multiple source code scanners, invokes them on its target code, and produces a final score that approximates the security quality of the code. This article discusses the BogoSec methodology and implementation, and illustrates the output of BogoSec when run on a number of test cases, including Apache Web server, OpenSSH, Sendmail, Perl, and others."

BogoSec is packaged as a Perl script and dependant modules.

Martin

Comment on Software security analysis with BogoSec

Replies are listed 'Best First'.
Re: Software security analysis with BogoSec by zentara (Cardinal) on May 15, 2006 at 11:33 UTC
I've been reading that they've discovered a few holes in X with this. I wonder if anyone has run it against Perl? I'm not really a human, but I play one on earth. flash japh	[reply]
Re^2: Software security analysis with BogoSec by marto (Cardinal) on May 15, 2006 at 11:48 UTC
Hi zentara, The IBM document has a section "5.5 Scripting Languages", which charts "Perl vs PHP vs Python vs Ruby". This is on page 14 of the document. Is this what you mean? Thanks Martin	[reply]
Re^3: Software security analysis with BogoSec by zentara (Cardinal) on May 15, 2006 at 12:06 UTC
I see, but what does the score really mean? Does it mean Ruby is more secure than Perl, and Perl is more secure than Php? Or is it just a nebulous indicator based on current knowledge of the various weaknesses in C syntax, and how often they appear in the code? I wonder how Perl6 would fare in comparision? I'm not really a human, but I play one on earth. flash japh	[reply]
Re^4: Software security analysis with BogoSec by marto (Cardinal) on May 15, 2006 at 12:30 UTC