Secure Coding mailing list archives
BSIMM: Confessions of a Software SecurityAlchemist(informIT)
From: chandra at list.org (Pravir Chandra)
Date: Fri, 20 Mar 2009 18:28:37 +0000
Well, it seems that there's an interesting nuance here. We don't really have a concrete definition for what software is
(code, design, compiled bins, etc.). All of these things plus the subjective expectations from designers, users, and
security folks tend to be the domain for how the term is used.
Now on to 'bug'... Same thing applies. A missing feature can be called a bug just as well as a flawed line of code (or
even a specified feature that does something undesirable).
But, I'm of the mind that avoiding security problems in software comes down to specification and design. I know Gary
likes to talk about security problems as bugs (code-level) vs flaws (design-level), but this abstraction isn't helpful
when trying to build secure software in general (however, it is helpful in convincing people that are bug-chasing to
look elsewhere too). In fact, I'd be willing to be that for just about every software security problem we've dealt, I
could give you a design/spec level solution that would prevent it in general (and make auditing and so forth incredibly
streamlined).
p.
~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
Pravir Chandra chandra<at>list<dot>org
PGP: CE60 0E10 9207 7290 06EB 5107 4032 63FC 338E 16E4
~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: "Goertzel, Karen [USA]" <goertzel_karen at bah.com>
Date: Fri, 20 Mar 2009 10:06:46
To: Benjamin Tomhave<list-spam at secureconsulting.net>; Secure Code Mailing List<SC-L at securecoding.org>
Subject: Re: [SC-L] BSIMM: Confessions of a Software Security
Alchemist(informIT)
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
Current thread:
- BSIMM: Confessions of a Software Security Alchemist (informIT), (continued)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Stephan Neuhaus (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) John Steven (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Jim Manico (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Benjamin Tomhave (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) kowsik (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Goertzel, Karen [USA] (Mar 20)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Benjamin Tomhave (Mar 20)
- Message not available
- BSIMM: Confessions of a Software Security Alchemist(informIT) Benjamin Tomhave (Mar 20)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Pravir Chandra (Mar 20)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Steven M. Christey (Mar 20)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Gunnar Peterson (Mar 20)
- Supply Chain Resiliency Project Assistance Mason Brown (Mar 22)
- Supply Chain Resiliency Project Assistance Gary McGraw (Mar 22)
- Supply Chain Resiliency Project Assistance Gadi Evron (Mar 22)
- Supply Chain Resiliency Project Assistance Wisseman, Stan [USA] (Mar 22)
- Supply Chain Resiliency Project Assistance Sammy Migues (Mar 22)
- Supply Chain Resiliency Project Assistance Dave Wichers (Mar 23)
- Supply Chain Resiliency Project Assistance Mason Brown (Mar 23)
- Supply Chain Resiliency Project Assistance Rohit Lists (Mar 23)