Secure Coding mailing list archives
Functional Correctness
From: gem at cigital.com (Gary McGraw)
Date: Fri, 21 Aug 2009 15:43:36 -0400
hi sc-l, There are many important security researchers who have given up on proving things about software as non-practical. Among them: Ross Anderson, Virgil Gligor, Bob Blakely, and Fred Schneider. All four of those guys have been past silver bullet victims, and each time we discussed the antiquated notion of formal approaches to software development. Software security is an intensely practical problem that will require a practical approach. By studying organizations that are doing a decent job, perhaps we can draw some practical lessons. That's precisely what we're up to with the BSIMM <http://bsi-mm.com>. gem http://www.cigital.com/~gem On 8/21/09 11:54 AM, "Brad Andrews" <andrews at rbacomm.com> wrote: I completely agree, though how are we really going to reach this point? We have been talking about this at least since I got into development in the early 1980s. We are not anywhere closer, though we have lots of neat tools that do lots of neat stuff. Unfortunately, our programs are also a lot more complicated, making the "correct" proof much more difficult. Can we really believe it is "just around the corner" to prove this? -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting "Cassidy, Colin (GE Infra, Energy)" <colin.cassidy at ge.com>:
Martin Gilje Jaatun wrote:Karen, Matt & all, Goertzel, Karen [USA] wrote:I'm more devious. I think what needs to happen is that weneed to redefine what we mean by "functionally correct" or "quality" code.
_______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- Where Does Secure Coding Belong In the Curriculum?, (continued)
- Where Does Secure Coding Belong In the Curriculum? Pascal Meunier (Aug 20)
- Where Does Secure Coding Belong In the Curriculum? James Walden (Aug 20)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 20)
- Where Does Secure Coding Belong In the Curriculum? McGovern, James F (HTSC, IT) (Aug 20)
- Where Does Secure Coding Belong In the Curriculum? SC-L Reader Dave Aronson (Aug 20)
- Where Does Secure Coding Belong In the Curriculum? Wall, Kevin (Aug 20)
- Security as a part of code quality (Was: Re: Where Does Secure Coding Belong In the Curriculum?) Martin Gilje Jaatun (Aug 20)
- Security as a part of code quality (Was: Re: Where Does Secure Coding Belong In the Curriculum?) Cassidy, Colin (GE Infra, Energy) (Aug 21)
- Security as a part of code quality (Was: Re: Where Does Secure Coding Belong In the Curriculum?) Gary McGraw (Aug 21)
- Functional Correctness Brad Andrews (Aug 21)
- Functional Correctness Gary McGraw (Aug 21)
- Functional Correctness Brad Andrews (Aug 21)
- Functional Correctness Cassidy, Colin (GE Infra, Energy) (Aug 22)
- Functional Correctness Pravir Chandra (Aug 24)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 20)
- Where Does Secure Coding Belong In the Curriculum? McGovern, James F (HTSC, IT) (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Wall, Kevin (Aug 25)
- Functional Correctness Jim Manico (Aug 21)
- Customer Demand Brad Andrews (Aug 21)
- Customer Demand Goertzel, Karen [USA] (Aug 21)
- Customer Demand Brad Andrews (Aug 21)