[SC-L] BSIMM: Confessions of a Software Security Alchemist(informIT)
Jim Manico
jim at manico.net
Fri Mar 20 14:07:20 EST 2009
This is why I'm not fond if leading with a tool. I prefer to lead with
architectural/design analysis and targeted manual review of high risk
applications.
Jim Manico
jim at manico.net
On Mar 20, 2009, at 4:06 AM, "Goertzel, Karen [USA]" <goertzel_karen at bah.com
> wrote:
> Except when they're hardware bugs. :)
>
> I think the differentiation is also meaningful in this regard: I can
> specify software that does non-secure things. I can implement that
> software 100% correctly. Ipso facto - no software bugs. But the fact
> remains that the software doesn't validate input because I didn't
> specify it to validate input, or it doesn't encrypt passwords
> because I didn't specify it to do so. I built to spec; it just
> happened to be a stupid spec. So the spec is flawed - but the
> implemented software conforms to that stupid spec 100%, so by
> definition it not flawed. It is, however, non-secure.
>
> --
> Karen Mercedes Goertzel, CISSP
> Booz Allen Hamilton
> 703.698.7454
> goertzel_karen at bah.com
>
>
>
>
> -----Original Message-----
> From: sc-l-bounces at securecoding.org on behalf of Benjamin Tomhave
> Sent: Thu 19-Mar-09 19:28
> To: Secure Code Mailing List
> Subject: Re: [SC-L] BSIMM: Confessions of a Software Security
> Alchemist(informIT)
>
> Why are we differentiating between "software" and "security" bugs? It
> seems to me that all bugs are software bugs, ...
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com
> )
> as a free, non-commercial service to the software security community.
> _______________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20090320/d5e14ca6/attachment.html
More information about the SC-L
mailing list