Secure Coding mailing list archives

Dr. Dobb's | The Truth About Software Security | January 20, 2007

From: mouse at Rodents.Montreal.QC.CA (der Mouse)
Date: Tue, 30 Jan 2007 11:24:13 -0500 (EST)

One examining only source code will miss any errors or problems that
may be introduced by the compiler or linker.  As Symantec says -
working with the object code is working at the level the attackers
work.


Some attackers, at least.  I have no doubt there are plenty of
attackers looking over source code hunting for logic bugs.

I would say that anyone who thinks that either source-level analysis or
binary-level analysis is the One True Answer is either talking about a
severely restricted subset or is deluded.  (Or, perhaps, is just trying
to delude others. :-)

Anything that finds bugs helps, whether it's eyeballs and brains,
binary analysis tools, source-level analysis tools, magic 8-balls,
whatever - if it finds bugs, it's good.

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               mouse at rodents.montreal.qc.ca
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Current thread:

Dr. Dobb's | The Truth About Software Security | January 20, 2007 Kenneth Van Wyk (Jan 30)
- Dr. Dobb's | The Truth About Software Security | January 20, 2007 ljknews (Jan 30)
- Dr. Dobb's | The Truth About Software Security | January 20, 2007 Michael S Hines (Jan 30)
  - Dr. Dobb's | The Truth About Software Security | January 20, 2007 Gadi Evron (Jan 30)
  - Dr. Dobb's | The Truth About Software Security | January 20, 2007 der Mouse (Jan 30)
- Dr. Dobb's | The Truth About Software Security | January 20, 2007 Chris Wysopal (Jan 30)
  - Dr. Dobb's | The Truth About Software Security | January 20, 2007 mudge (Jan 30)