Secure Coding mailing list archives

Re: Spot the bug

From: "John Steven" <jsteven () cigital com>
Date: Wed, 20 Jul 2005 00:26:47 +0100

I'm excited that Microsoft is reaching out and providing this learning aid.
Most people I interview don't know how to spot some pretty simply vulnerable
code constructs. I'll even have my newbies subscribe to this RSS for a
spell, in hopes that their attack toolkit may be augmented.

But, some advice for Microsoft if they're listening:

When the initial entrÃ©es are so ridiculously simple that they don't even
bear a full minute of scrutiny, they are best served in sets of 10. That
gives the audience enough problems to puzzle through that they can mentally
engage. 

Long-term, I don't fear the validity of the approach because some
exploitable constructs are very subtle.

-----
John Steven        
Principal, Software Security Group
Technical Director, Office of the CTO
703 404 5726 - Direct | 703 404 9295 - Fax
Cigital Inc.          | [EMAIL PROTECTED]

4772 F7F3 1019 4668 62AD  94B0 AE7F EEF4 62D5 F908

From: Mark Curphey <[EMAIL PROTECTED]>

If you fancy yourself as a good code reviewer you can play spot the bug at
MSDN. They will be getting harder !

http://msdn.microsoft.com/security/





----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------

Current thread:

Spot the bug Mark Curphey (Jul 19)
- Re: Spot the bug ljknews (Jul 19)
  - Re: Spot the bug Pascal Meunier (Jul 19)
  - Re: Spot the bug Dave Aronson (Jul 21)
- Re: Spot the bug der Mouse (Jul 19)
  - Re: Spot the bug Blue Boar (Jul 19)
    - Re: Spot the bug der Mouse (Jul 21)
- Re: Spot the bug John Steven (Jul 19)
  - Re: Spot the bug Christopher Canova (Jul 20)
    - Re: Spot the bug Dave Aronson (Jul 21)
- <Possible follow-ups>
- RE: Spot the bug Michael Howard (Jul 21)