Bugle Goes Googling for Source Code FlawsBy Ryan Naraine | Posted 2006-07-25 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
A source code reviewer in London is working on a project to collect search queries that can be used to identify some of the most common vulnerabilities in open-source code indexed by Google.
The world's most popular search engine can be used to pinpoint software security bugs in source code available on the Internet, according to a new research project launched by a U.K.-based researcher.
The project, called Bugle, is a collection of Google search queries that can be used to identify some of the most common vulnerabilities in open-source code indexed by the search giant.
Emmanouel Kellinis, a security penetration tester and source code reviewer for KPMG in London, started working on Bugle privately to find pinpoints to some of the most common coding mistakes and decided to go public with the project to expand the list of search queries.
"Bugle was created mainly to help in open-source projects. Of course, it can also be used by the wider community using the Google desktop utility," Kellinis said in an e-mail interview with eWEEK.
Kellinis believes security researchers can combine Bugle queries with Google's "highly intelligent indexing algorithms" to identify vulnerable code indexed by the search engine. "Bugle will give you hints for a potential vulnerability, but you still require skill to identify an actual issue," he explained.
So far, with the help of third-party researchers, Kellinis has released a search string flaw that can help identify buffer overflows, integer overflows, format string, command injection, SQL injection and cross-site scripting flaws.
The project can also offer help in identifying bad practices and suspicious comments that are typically included in source code. In the early days of the project, Kellinis received input from several well-known programmers and security researchers, including Symantec's Ollie Whitehouse and Google hacker Philipp Lenssen.
In addition, Bugle can trigger Google Alerts, allowing developers and researches to get advance notice on new vulnerable source code for each subscribed query.
"Google is an excellent search engine with highly intelligent indexing algorithms and a huge resources database. It is a very important tool for many tasks, and security research is definitely one of them," Kellinis said.
Read the full story on eWEEK.com: Bugle Goes Googling for Source Code Flaws