Secure Coding mailing list archives
Dr. Dobb's | The Truth About Software Security | January 20, 2007
From: mouse at Rodents.Montreal.QC.CA (der Mouse)
Date: Tue, 30 Jan 2007 11:24:13 -0500 (EST)
One examining only source code will miss any errors or problems that may be introduced by the compiler or linker. As Symantec says - working with the object code is working at the level the attackers work.
Some attackers, at least. I have no doubt there are plenty of attackers looking over source code hunting for logic bugs. I would say that anyone who thinks that either source-level analysis or binary-level analysis is the One True Answer is either talking about a severely restricted subset or is deluded. (Or, perhaps, is just trying to delude others. :-) Anything that finds bugs helps, whether it's eyeballs and brains, binary analysis tools, source-level analysis tools, magic 8-balls, whatever - if it finds bugs, it's good. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse at rodents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Dr. Dobb's | The Truth About Software Security | January 20, 2007 Kenneth Van Wyk (Jan 30)
- Dr. Dobb's | The Truth About Software Security | January 20, 2007 ljknews (Jan 30)
- Dr. Dobb's | The Truth About Software Security | January 20, 2007 Michael S Hines (Jan 30)
- Dr. Dobb's | The Truth About Software Security | January 20, 2007 Gadi Evron (Jan 30)
- Dr. Dobb's | The Truth About Software Security | January 20, 2007 der Mouse (Jan 30)
- Dr. Dobb's | The Truth About Software Security | January 20, 2007 Chris Wysopal (Jan 30)