Secure Coding mailing list archives
BSIMM: Confessions of a Software SecurityAlchemist(informIT)
From: gem at cigital.com (Gary McGraw)
Date: Fri, 20 Mar 2009 23:41:15 -0400
hi pub, once long ago I spilt a bottle of wine with dan geer in Palo Alto to lament his dead disk drive. we decided the conference sucked anyway and proceeded to the Cowper. we argued for hours about whether a buffer overflow was a bug or a flaw. if you find one in a code pile (say, caused by a local variable on the stack and a gets call) , it is a bug. Or is it a flaw that the C stack grows in an incredibly stupid way? hmm. Necker defect. gem http;//www.cigital.com/~gem On 3/20/09 2:28 PM, "Pravir Chandra" <chandra at list.org> wrote: Well, it seems that there's an interesting nuance here. We don't really have a concrete definition for what software is (code, design, compiled bins, etc.). All of these things plus the subjective expectations from designers, users, and security folks tend to be the domain for how the term is used. Now on to 'bug'... Same thing applies. A missing feature can be called a bug just as well as a flawed line of code (or even a specified feature that does something undesirable). But, I'm of the mind that avoiding security problems in software comes down to specification and design. I know Gary likes to talk about security problems as bugs (code-level) vs flaws (design-level), but this abstraction isn't helpful when trying to build secure software in general (however, it is helpful in convincing people that are bug-chasing to look elsewhere too). In fact, I'd be willing to be that for just about every software security problem we've dealt, I could give you a design/spec level solution that would prevent it in general (and make auditing and so forth incredibly streamlined). p. ~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~ Pravir Chandra chandra<at>list<dot>org PGP: CE60 0E10 9207 7290 06EB 5107 4032 63FC 338E 16E4 ~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~ -----Original Message----- From: "Goertzel, Karen [USA]" <goertzel_karen at bah.com> Date: Fri, 20 Mar 2009 10:06:46 To: Benjamin Tomhave<list-spam at secureconsulting.net>; Secure Code Mailing List<SC-L at securecoding.org> Subject: Re: [SC-L] BSIMM: Confessions of a Software Security Alchemist(informIT) _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- BSIMM: Confessions of a Software SecurityAlchemist(informIT), (continued)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Gunnar Peterson (Mar 20)
- Supply Chain Resiliency Project Assistance Mason Brown (Mar 22)
- Supply Chain Resiliency Project Assistance Gary McGraw (Mar 22)
- Supply Chain Resiliency Project Assistance Gadi Evron (Mar 22)
- Supply Chain Resiliency Project Assistance Wisseman, Stan [USA] (Mar 22)
- Supply Chain Resiliency Project Assistance Sammy Migues (Mar 22)
- Supply Chain Resiliency Project Assistance Dave Wichers (Mar 23)
- Supply Chain Resiliency Project Assistance Mason Brown (Mar 23)
- Supply Chain Resiliency Project Assistance Rohit Lists (Mar 23)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Florian Weimer (Mar 21)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Gary McGraw (Mar 20)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) ljknews (Mar 21)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Steven M. Christey (Mar 22)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Gary McGraw (Mar 23)
- The Importance of Type Safety Brad Andrews (Mar 23)
- The Importance of Type Safety Carl Alphonce (Mar 23)
- The Importance of Type Safety AF (Mar 23)
- The Importance of Type Safety Brad Andrews (Mar 23)
- The Importance of Type Safety Jeremy Epstein (Mar 23)
- The Importance of Type Safety AF (Mar 26)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Andy Steingruebl (Mar 24)