Here’s a plug for the thing I’m working on. If you want a VPN in less than 4k lines of code – small enough that you can read and understand it in a single sitting – then you might want to checkout WireGuard. It’s a relatively new project, but considerably less scary than big behemoths like OpenVPN or IPsec.
Manual reviews may still be part of the effort, but only there where automation (fuzzing) is not adequate. Some examples:
I know he goes on to list specific things that fuzzing finds hard to find, but I personally think that it would be better to say that both fuzzing and manual code review should be used.
That would not be actionable advice - of course more review in any form is better in isolation, but the question people actually have to answer in practice is where to best expend limited resources.
Here’s a plug for the thing I’m working on. If you want a VPN in less than 4k lines of code – small enough that you can read and understand it in a single sitting – then you might want to checkout WireGuard. It’s a relatively new project, but considerably less scary than big behemoths like OpenVPN or IPsec.
Would I be able to use wireguard with something like Mullvad?
Yes. If you Google those two keywords, you’ll find what you’re looking for.
\o/
I know he goes on to list specific things that fuzzing finds hard to find, but I personally think that it would be better to say that both fuzzing and manual code review should be used.
That would not be actionable advice - of course more review in any form is better in isolation, but the question people actually have to answer in practice is where to best expend limited resources.