Secure Coding mailing list archives
Compilers
From: gem at cigital.com (Gary McGraw)
Date: Thu, 21 Dec 2006 21:27:01 -0500
I have a better idead. Stop using C++. Jeeze. gem -----Original Message----- From: Robert C. Seacord [mailto:rcs at cert.org] Sent: Thu Dec 21 20:40:35 2006 To: McGovern, James F (HTSC, IT) Cc: Thomas Plum; Secure Coding Subject: Re: [SC-L] Compilers James, Response below.
I have been noodling the problem space of secure coding after attending a wonderful class taught by Ken Van Wyk. I have been casually checking out Fortify, Ounce Labs, etc and have a thought that this stuff should really be part of the compiler and not a standalone product. Understanding that folks do start companies to make up deficiencies in what large vendors ignore, how far off base in my thinking am I?
Tom Plum (from Plum Hall, Inc.) is developing a solution called Safe/Secure C/C++ (SSCC) that might interest you (http://www.plumhall.com/sscc.html). SSCC incorporates static-analysis methods into the compiler as well adding as run-time protections schemes to eliminate buffer overflows as well as mitigate against other types of vulnerabilities. (I know that the claim seems exaggerated, but the approach seems quite sound and I have yet to identify a case that SSCC can not eliminate). Anyway, there is more information on his web site and I have cc'd Tom on this message in case you would like to contact him directly. rCs _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ----------------------------------------------------------------------------
Current thread:
- Compilers Gary McGraw (Dec 21)
- Compilers Tim Hollebeek (Dec 27)
- <Possible follow-ups>
- Compilers David A. Wheeler (Dec 21)
- Compilers Gary McGraw (Dec 21)
- Compilers SC-L Subscriber Dave Aronson (Dec 27)
- Compilers Leichter, Jerry (Dec 27)
- Compilers David A. Wheeler (Dec 28)
- Compilers Leichter, Jerry (Dec 29)
- temporary directories Robert C. Seacord (Dec 29)
- temporary directories ljknews (Dec 29)
- temporary directories Leichter, Jerry (Dec 29)
- temporary directories ljknews (Dec 29)
- Compilers Leichter, Jerry (Dec 29)