Secure Coding mailing list archives

RE: Checking values

From: "Brown, James (Jim)" <JBrown () thrupoint net>
Date: Sun, 07 Dec 2003 17:42:17 +0000

OO based software was designed to address complexity-
classes at higher levels depend on code at lower levels.
And like any layered activity, the weakest layer (or class)
is the limit of security.  The problem is you don't *really know*
the level of security of the lower classes.  You just use
them assuming that the other developer did his homework.
Without this implicit assumption, you would always have
to ask is "Which circle of trust do I want to go to today?"

I can't spend time verifying all the lower classes and levels
of software I use to write code- I'd never get anything done.
What I try to do is verify that I use the most 'mature' classes
of code (modules) I can find.

This is not a perfect (or even a really good) solution, but
I can't think of a better one.

jpb
===

Current thread:

Checking values Chris Richards (Dec 05)
- <Possible follow-ups>
- Re: Checking values carolyn . ryll (Dec 06)
- Re: Checking values Peter G. Neumann (Dec 07)
- RE: Checking values Brown, James (Jim) (Dec 07)