Secure Coding mailing list archives
RE: Security Standard Branding & Expectation Checklists
From: "David Crocker" <dcrocker () eschertech com>
Date: Sat, 10 Jan 2004 14:51:28 +0000
Crispin Cowan wrote:
This is what the old Orange Book standard did, and kind of what the Common Criteria does today. For 6 or 7 digits of money, various labs will certify that your product complied with those well-established software development methods, and provides certain mandatory features such as audit logging. None of which prevents you from having a remotely exploitable buffer overflow on day 1 after certification is granted and your product is released. << A software development process that admits ANY sort of buffer overflow attack is seriously broken, IMO. You don't even need formal methods to avoid buffer overflows, just good defensive programming practice. Buffer overflow attacks are so easy to prevent that I think any so-called software engineer who writes code that suffers from such a vulnerability deserves to be found guilty of negligence. David Crocker Escher Technologies Ltd. www.eschertech.com
Current thread:
- Security Standard Branding & Expectation Checklists Jared W. Robinson (Jan 07)
- Re: Security Standard Branding & Expectation Checklists Brett Hutley (Jan 08)
- Re: Security Standard Branding & Expectation Checklists Crispin Cowan (Jan 08)
- Re: Security Standard Branding & Expectation Checklists Jared W. Robinson (Jan 08)
- Re: Security Standard Branding & Expectation Checklists Crispin Cowan (Jan 09)
- RE: Security Standard Branding & Expectation Checklists David Crocker (Jan 10)
- RE: Security Standard Branding & Expectation Checklists ljknews (Jan 10)
- Re: Security Standard Branding & Expectation Checklists Jeff Williams @ Aspect (Jan 11)
- Re: Security Standard Branding & Expectation Checklists Jared W. Robinson (Jan 08)