
Multiple Static Analyzers are not enough - adekok
http://freeradius.org/security/fuzzer-2017.html
======
adekok
I submitted this with a different title from the web page to get more
attention to the issue. Not many people care about FreeRADIUS. I suspect there
will be more interest in the underlying issues.

We run FreeRADIUS through four different static analysis tools, and have
hundreds of regression tests. After the OpenVPM issues recently, I asked Guido
Vranken to look into FreeRADIUS.

In short, fuzzing and address sanitization found about as many security issues
as were found by all other techniques in the last 10 years.

 _Everyone: Please use fuzzers and address sanitizers on your C code. It will
find things._

