| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: full-disclosure at royds.net (Bill Royds) Subject: Auditing code for security problems In an article(http://msdn.microsoft.com/msdnmag/issues/03/11/SecurityCodeReview/de fault.aspx) in the Novermber issue of MSDN magazine, Michael Howard (who wrote building secure code), gives pointers to finding security defects in code. "Allocating Time and Effort I have a ranking system I use to determine how much relative time I need to spend reviewing the code. The system is based on the damage potential if a vulnerability is exploited and the potential for attack. The quota system is based on the following traits: Does the code run by default? Does the code run with elevated privileges? Is the code listening on a network interface? Is the network interface unauthenticated? Is the code written in C/C++? Does the code have a prior history of vulnerability? Is this component under close scrutiny by security researchers? Does the code handle sensitive or private data? Is the code reusable (for example, a DLL, C++ class header, library, or assembly)? Based on the threat model, is this component in a high-risk environment or subject to many high-risk threats? "
Powered by blists - more mailing lists