
250 Chapter 6 • Code Auditing and Reverse Engineering
Q: This is tedious. Do any automated tools do this work?
A: Due to the custom and dynamic nature of source code, it’s very hard
to design a tool that is capable of understanding what the developer
intended and how an attacker might subvert that.Tools such as ITS4
and BoundsChecker help highlight some problem areas—but these
tools are far from becoming an automated replacement.
Q: Will outside companies check our source code for us?
A: We suggest you check SecurityFocus.com. SecurityFocus.com actu-
ally maintains a multivendor security service offerings directory,
which includes a list of companies ...