in these days, i'm interested in software security. As i'm reading papers i see that there are many attacks and researchers are trying to invent new methods for softwares to get more secure systems.
this question can be a general including all types of attacks.There are many experienced programmers in SO, i just want to learn what are using to check your code against these attacks ? Is there any tools you use or you don't care ?
For example i heard about static/dynamic code analysis and fuzz testing.
thanks
I'm going to focus on web application security here...
Really you want to get used to manually trawling through a website/application and playing with various parameters etc. so proxy tools are of great help (they allow you to capture and interact with forms, before they reach the server):
LiveHTTPHeaders - FireFox plugin.
Burp Proxy - Java based.
Obviously there becomes a point where manually crawling a whole website becomes rather time consuming/tedious and this is where automated scanning tools can be of help.
Black box:
WebSecurify - not used it but it's been created by a well known web app security guy.
Skipfish - Google released this recently so it's probably worth a look.
And there are many other commercial tools: WhiteHat Sentinel, HP Web Inspect and probably many others I can't remember.
White box:
A lot of the academic research I've seen is related to static code analysis tools; I've not used any because they all focused on PHP only and had some limitations.
Other resources:
ha.ckers.org - great blog, with an active forum related to web app sec. OWASP - as perviously mentioned, there are lots of insightful articles/guides/tutorials here.
If you want to learn more about manually attacking sites yourself the Damn Vulnerable Web App is a nice learning project. By that I mean, it's a web application that is written to be deliberately insecure, so you can test your knowledge of web application security vulnerabilities legally.
I wrote a black box scanner in Perl for my third year dissertation which was quite an interesting project. If you wanted to build something yourself it really just consisted of: