| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200310091515.42738.ken@vanwyk.org> From: ken at vanwyk.org (Kenneth R. van Wyk) Subject: Microsoft Outlines New Initiatives in Ongoi ng Security Efforts To Help Customers On Thursday 09 October 2003 13:50, Dehner, Benjamin T. wrote: > What is interesting in this article is what Balmer does NOT say. > Specifically: > -- code auditing to prevent security problems > -- Q/A testing of software to detect bugs > -- testing of patches to prevent patch interaction and over-write > issues > -- third party security testing These all seem to me to be reasonable steps for detecting/preventing/removing software implementation flaws, but they don't address design or architectural concerns. That being said, ridding the world of every buffer overflow would be a great thing. But I'm still concerned with design problems. For example, an email program that allows a user to mouse-click on an attachment and run it with all of the privileges of the user has a fundamental design flaw that removing every single buffer overflow and such won't cure. Likewise for architectural flaws. IMHO, developing safe software must be an engineering process that, among other things, includes tests at each phase of the development life cycle. Testing source code is just one component of that. Cheers, Ken van Wyk (Co-author, Secure Coding (O'Reilly, 2003), http://www.securecoding.org)
Powered by blists - more mailing lists