Full Disclosure mailing list archives
Auditing code for security problems
From: "Bill Royds" <full-disclosure () royds net>
Date: Wed, 29 Oct 2003 21:27:22 -0500
In an article(http://msdn.microsoft.com/msdnmag/issues/03/11/SecurityCodeReview/de fault.aspx) in the Novermber issue of MSDN magazine, Michael Howard (who wrote building secure code), gives pointers to finding security defects in code. "Allocating Time and Effort I have a ranking system I use to determine how much relative time I need to spend reviewing the code. The system is based on the damage potential if a vulnerability is exploited and the potential for attack. The quota system is based on the following traits: Does the code run by default? Does the code run with elevated privileges? Is the code listening on a network interface? Is the network interface unauthenticated? Is the code written in C/C++? Does the code have a prior history of vulnerability? Is this component under close scrutiny by security researchers? Does the code handle sensitive or private data? Is the code reusable (for example, a DLL, C++ class header, library, or assembly)? Based on the threat model, is this component in a high-risk environment or subject to many high-risk threats? " _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Off topic programming thread Schmehl, Paul L (Oct 27)
- <Possible follow-ups>
- RE: Off topic programming thread madsaxon (Oct 27)
- Re: Off topic programming thread Bill Royds (Oct 27)
- Re: Off topic programming thread Brett Hutley (Oct 28)
- Re: Off topic programming thread Bill Royds (Oct 29)
- Re: Off topic programming thread Alexandre Dulaunoy (Oct 29)
- Re: Off topic programming thread Brett Hutley (Oct 29)
- Re: Off topic programming thread Bill Royds (Oct 29)
- Auditing code for security problems Bill Royds (Oct 29)
- Re: Off topic programming thread Bill Royds (Oct 27)
- Re: Off topic programming thread Brett Hutley (Oct 29)