Secure Coding mailing list archives

Bugs and flaws

From: james.stibbards at cloakware.com (James Stibbards)
Date: Fri, 3 Feb 2006 12:16:08 -0500

Hi Gary,

In one of your prior posts you mentioned documentation.  I believe that the
problem with WMF was that someone had not examined WMF as a postential
source of vulnerabilities, since the embedded code was an legacy capability.

My belief is that one of the keys to finding flaws lies in the proper
capture of the requirements/contract of a software component, and then
examining and testing against that. Without the proper requirements that
speak clearly to security,  we can inspect and examine, but we won't know
what we're measuring against.  That doesn't solve the problem of knowing
when we're done, I realize.

See you at SSS.
- James

-----Original Message-----
From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org]
On Behalf Of Gary McGraw
Sent: Friday, February 03, 2006 11:13 AM
To: Kenneth R. van Wyk; Secure Coding Mailing List
Subject: RE: [SC-L] Bugs and flaws

To cycle this all back around to the original posting, lets talk about the
WMF flaw in particular.  Do we believe that the best way for Microsoft to
find similar design problems is to do code review?  Or should they use a
higher level approach?

Were they correct in saying (officially) that flaws such as WMF are hard to
anticipate? 

gem



----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------

_______________________________________________
Secure Coding mailing list (SC-L)
SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

Current thread:

Bugs and flaws, (continued)
- Bugs and flaws Gary McGraw (Feb 02)
  - Bugs and flaws Jeff Williams (Feb 02)
  - Bugs and flaws John Steven (Feb 02)
  - Bugs and flaws der Mouse (Feb 02)
  - Bugs and flaws Wietse Venema (Feb 03)
    - Bugs and flaws Greg Beeley (Feb 03)
- Bugs and flaws Brian Chess (Feb 02)
- Bugs and flaws Gary McGraw (Feb 02)
  - Bugs and flaws Jeff Williams (Feb 02)
- Bugs and flaws Gary McGraw (Feb 03)
  - Bugs and flaws James Stibbards (Feb 03)
  - Bugs and flaws Crispin Cowan (Feb 03)
    - Bugs and flaws Dana Epp (Feb 03)
    - Bugs and flaws Crispin Cowan (Feb 07)
- Bugs and flaws Nick FitzGerald (Feb 03)
- Bugs and flaws Brian Chess (Feb 03)
- Bugs and flaws Nick FitzGerald (Feb 03)
- Bugs and flaws Evans, Arian (Feb 06)
- Bugs and flaws Evans, Arian (Feb 06)
  - Where to read about construction quality software ljknews (Feb 06)
- Bugs and flaws Gary McGraw (Feb 06)

(Thread continues...)