Secure Coding mailing list archives
Tools: Evaluation Criteria
From: peter.amey at praxis-his.com (Peter Amey)
Date: Thu, 24 May 2007 15:32:08 +0100
-----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Wall, Kevin Sent: 24 May 2007 12:45 To: McGovern, James F (HTSC, IT) Cc: SC-L at securecoding.org Subject: Re: [SC-L] Tools: Evaluation Criteria James McGovern wrote...Maybe folks are still building square windows because we haven't realized how software fails and can describe it in terms ofa pattern.The only pattern-oriented book I have ran across in mytravels is theCore Security Patterns put out by the folks at Sun. Do you think we should stop talking solely about code and start talking about how vulnerabilities are repeatedly introduced and describeusing patternsnotation?
[snip I am very happy to accept that we may not understand /all/ or even /most/ of the ways software fails but we do know an awful lot. Buffer overflows, numeric overflows and division by zero have been wee understood for years. The first was limited by various versions of Pascal ages ago. Yet we are still clinging to techniques that hope we can spot a buffer overflow "pattern" after construction (and hopefully before an exploiter!). There is a nice symmetry about my aeronautical analogy. The Comet disasters occurred just over 50 years after the Wright brothers first flew; and we are still fiddling around with buffer overflows just over 50 years after Colossus (at the Bletchley Park crypto centre of Enigma fame) signalled the start of the computer age. That's all, back to the asylum! Peter This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, disclosure, copying or distribution or any action taken or omitted to be taken in reliance on it is strictly prohibited. If you have received this email in error please contact the sender. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Praxis. Although this email and any attachments are believed to be free of any virus or other defect, no responsibility is accepted by Praxis or any of its associated companies for any loss or damage arising in any way from the receipt or use thereof. The IT Department at Praxis can be contacted at it.support at praxis-his.com. Praxis High Integrity Systems Ltd: Company Number: 3302507, registered in England and Wales Registered Address: 20 Manvers Street, Bath. BA1 1PX VAT Registered in Great Britain: 682635707
Current thread:
- Tools: Evaluation Criteria Peter Amey (May 22)
- <Possible follow-ups>
- Tools: Evaluation Criteria Peter Amey (May 23)
- Tools: Evaluation Criteria McGovern, James F (HTSC, IT) (May 23)
- Tools: Evaluation Criteria ljknews (May 23)
- Tools: Evaluation Criteria Wall, Kevin (May 24)
- Tools: Evaluation Criteria Gunnar Peterson (May 24)
- Tools: Evaluation Criteria McGovern, James F (HTSC, IT) (May 23)
- Tools: Evaluation Criteria Peter Amey (May 24)