Re: Trojan Horse Detection tools(Possibly off-topic)

[Devdas Bhagat <dvb () users sourceforge net>]

On 11/04/03 10:20 +0530, Sridhar J wrote:
> Are there any tools to detect Trojan horse code? Assume that I have the
> source code, but code inspection is very cumbersome and sufficient
> expertise is needed, which is difficult to expect from developers.
Not really. 
What is Trojan code? Something that calls home to its creator? Plenty of
software has that code, legitimately. For example, Microsoft Windows XP.
The only tool that can be trusted to audit code is the developers mind.

The code itself is neutral, it is neither good nor bad. If the code
works as designed and documented, then it is good. Otherwise it is bad.

BTW, why is it hard to expect expertise from developers? They are paid
for that. The *only* way to _ensure_ security is to audit code[1], a la the
OpenBSD project. Have good developers writing and auditing the code and
ensure that such code is maintained properly.

Devdas Bhagat

[1] This is not the same as writing secure code in the first place.

-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------