oss-sec mailing list archives

Apple goto fail - lessons that should be learned

From: "David A. Wheeler" <dwheeler () dwheeler com>
Date: Wed, 26 Nov 2014 12:34:15 -0500 (EST)

I recently looked at Apple's "goto fail" vulnerability
revealed back in February this year, to see what could or should have
been done to find the vulnerability BEFORE the code was released to users.
You can see the result here:

http://www.dwheeler.com/essays/apple-goto-fail.html

As always, if there are additional measures, let me know.

I've previously done this exercise with:
* Heartbleed: http://www.dwheeler.com/essays/heartbleed.html
* Shellshock: http://www.dwheeler.com/essays/shellshock.html
* POODLE: http://www.dwheeler.com/essays/poodle-sslv3.html

My hope is that everyone involved in software development and/or
security analysis will get better at countering or detecting
vulnerabilities *before* they get out to users.  Learning from the past
seems like a way to help get there.

--- David A. Wheeler

Current thread:

Apple goto fail - lessons that should be learned David A. Wheeler (Nov 26)
- Re: Apple goto fail - lessons that should be learned Hanno Böck (Nov 26)
  - Re: Apple goto fail - lessons that should be learned David A. Wheeler (Nov 26)