[SC-L] Dr. Dobb's | The Truth About Software Security | January 20, 2007
der Mouse
mouse at Rodents.Montreal.QC.CA
Tue Jan 30 11:24:13 EST 2007
> One examining only source code will miss any errors or problems that
> may be introduced by the compiler or linker. As Symantec says -
> working with the object code is working at the level the attackers
> work.
Some attackers, at least. I have no doubt there are plenty of
attackers looking over source code hunting for logic bugs.
I would say that anyone who thinks that either source-level analysis or
binary-level analysis is the One True Answer is either talking about a
severely restricted subset or is deluded. (Or, perhaps, is just trying
to delude others. :-)
Anything that finds bugs helps, whether it's eyeballs and brains,
binary analysis tools, source-level analysis tools, magic 8-balls,
whatever - if it finds bugs, it's good.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse at rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
More information about the SC-L
mailing list