Full Disclosure mailing list archives
Re: Microsoft Outlines New Initiatives in Ongoi ng Security Efforts To Help Customers
From: "Kenneth R. van Wyk" <ken () vanwyk org>
Date: Thu, 9 Oct 2003 15:15:42 -0400
On Thursday 09 October 2003 13:50, Dehner, Benjamin T. wrote:
What is interesting in this article is what Balmer does NOT say. Specifically: -- code auditing to prevent security problems -- Q/A testing of software to detect bugs -- testing of patches to prevent patch interaction and over-write issues -- third party security testing
These all seem to me to be reasonable steps for detecting/preventing/removing software implementation flaws, but they don't address design or architectural concerns. That being said, ridding the world of every buffer overflow would be a great thing. But I'm still concerned with design problems. For example, an email program that allows a user to mouse-click on an attachment and run it with all of the privileges of the user has a fundamental design flaw that removing every single buffer overflow and such won't cure. Likewise for architectural flaws. IMHO, developing safe software must be an engineering process that, among other things, includes tests at each phase of the development life cycle. Testing source code is just one component of that. Cheers, Ken van Wyk (Co-author, Secure Coding (O'Reilly, 2003), http://www.securecoding.org) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Microsoft Outlines New Initiatives in Ongoi ng Security Efforts To Help Customers Dehner, Benjamin T. (Oct 09)
- Re: Microsoft Outlines New Initiatives in Ongoi ng Security Efforts To Help Customers Kenneth R. van Wyk (Oct 09)
- Re: Microsoft Outlines New Initiatives in Ongoi ng Security Efforts To Help Customers Georgi Guninski (Oct 10)