Secure Coding mailing list archives

Root Canal Treatment vs Source Code Review

From: Everhart at gce.com (Mary and Glenn Everhart)
Date: Mon, 30 Jun 2008 22:43:37 -0400

Jonathan Leffler wrote:

Under the subject "InternetNews Realtime IT News - Merchants Cope With PCI 
Compliance", Kenneth Van Wyk <ken at krvw.com> wrote:
[...] In talking with my customers over the past several months, I always 
find it interesting that the vast majority would sooner have root canal 
than submit their source code to anyone for external review. [...]

There's a simple reason for that reluctance - most people are painfully 
aware that their software won't stand the scrutiny that an external review 
would entail.

  
------------------------------------------------------------------------

_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

There is another reason I have seen quite often: you can't readily ask 
the designer of
the code what it does when he is dead, or when he has left the company 
(esp. if he works for a competitor). In many such situations I see code 
that gets touched at all with
great fear and trembling, because people are not certain they can build 
it all from
sources.  Eventually that gets replaced, but in some cases that may be 
long delayed.

I've used a few tools to analyze code, and noticed that mostly they 
don't really know
how trustworthy external information is (or even, for sure, what is 
external). Result is
much hand winnowing needed. Still they seem to take less looking than 
learning
an entire code base.

I still favor trying to characterize what functions are supposed to be 
invoked by
calls to routines and trying to characterize this for each 
call....giving rise to
a hopefully small number of permitted patterns for any call location. 
Obviously
this is much easier to do for interpreters like SQL than HTML, but the 
approach
may do better against future attacks than other approaches.

Glenn Everhart

Current thread:

Root Canal Treatment vs Source Code Review Jonathan Leffler (Jun 30)
- Root Canal Treatment vs Source Code Review Mary and Glenn Everhart (Jun 30)