Dr. Dobb's | The Truth About Software Security | January 20, 2007

[mshines at purdue.edu (Michael S Hines)]

One examining only source code will miss any errors or problems that may be
introduced by the compiler or linker.  As Symantec says - working with the
object code is working at the level the attackers work.  
 
Of course one would have to verify the object code made public is the same
object code that was analyzed/verified.   Otherwise you could get the case
where the code was advertised as 'checked' and it still have a
vulnerability.    Of course that could happen anyway - as the process
probabily isn't perfect (thought much better than nothing).   
 
Not all compilers or linkers are perfect either.   
 
There is only one way to get it right, yet so many ways to get it wrong.   
 
Mike Hines
 
-----------------------------
Michael S Hines
mshines at purdue.edu 
 

  _____  

From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org]
On Behalf Of Kenneth Van Wyk
Sent: Tuesday, January 30, 2007 5:25 AM
To: Secure Coding
Subject: [SC-L] Dr. Dobb's | The Truth About Software Security | January
20,2007


FYI, there's an interesting article on ddj.com about a Symantec's new
"Veracode" binary code analysis service.

http://www.ddj.com/dept/security/196902326 

Among other things, the article says, "Veracode clients send a compiled
version of the software they want analyzed over the Internet and within 72
hours receive a Web-based report explaining--and prioritizing--its security
flaws." 


Any SC-Lers have any first-hand experience with Veracode that they're
willing to share here? Opinions?


Cheers,


Ken

-----
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070130/9c829811/attachment.html