[SC-L] Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis

[ljknews]

At 1:52 PM -0500 1/22/07, Kenneth Van Wyk wrote:
> Content-Type: multipart/signed; protocol="application/pgp-signature";
> 	micalg=pgp-sha1; boundary="Apple-Mail-12-58709954"
> Content-Transfer-Encoding: 7bit
>
> Ok, last software security news item for today, I promise.  :-)  This
>article (see
>
><http://www.darkreading.com/document.asp?doc_id=115110&WT.svl=news1_1>http://www.darkreading.com/document.asp?doc_id=115110&WT.svl=news1_1)
>is about a couple of new startup companies.  One of them in particular,
>Veracode, may be of some interest here.  The article says, "Veracode,
>founded by Chris Wysopal and other former executives of @stake, is now
>offering patented binary-code analysis of software for enterprises that
>want to analyze their software's security on a regular basis. The ASP will
>also offer security reviews of enterprise products and security analysis
>of third-party apps for software developers."
>
> The article also provides some counterpoints, including some from Gary
>McGraw, that are worth reading.  Among other things, Gary says, "However,
>if you want real security analysis you have to go past the binary, past
>the source code, and actually consider the design."
>
> Opinions on binary vs. source code (and design!) analysis, anyone?

Analyzing source code is independent of machine architecture.

My guess is that if a company actually is capable of analyzing
binary code they only do it for the highest volume instruction
sets.

My guess is that attackers will go after machines they feel are
less protected.

Efforts which merely change attacker behavior are a waste of time.
-- 
Larry Kilgallen