Secure Coding mailing list archives

What is the size of this list?

From: andrews at rbacomm.com (Brad Andrews)
Date: Fri, 21 Aug 2009 15:50:44 -0500


Great points Karen!  We can't prove a program is "secure" in the same vein.

The danger I am spouting off about is the idea that we would solve the  
software security problem if we just take a more "scientific" or  
"mature" (or whatever) approach.  I think those can definitely reduce  
the risk, but I don't think it will reach the goal.

I am all for getting 50% of the way there.  That is a lot better than  
being 0% or even 25% of the way there!  I am just VERY concerned that  
if we try to sell management the idea that we are now taking a  
"scientific" approach (or whatever the term), we will end up with  
implied promises that will lead them to expect perfection, which won't  
come.  They will likely ignore all our disclaimers that we are only  
seeking a partial solution to what we can solve, at least in the  
current state of thinking.

Getting them to even take any action is a challenge in many companies,  
so some could argue my concerns are foolish.  I think they are  
important because you want to make sure any buy-in you eventually get  
expects the right things.  If you don't do this, you will end up in an  
even worse position down the road.

-- 

Brad Andrews
RBA Communications
CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI


Quoting "Goertzel, Karen [USA]" <goertzel_karen at bah.com>:

Actually, we can't prove programs are bug free if by "bug" we also   
mean all possible anomalous behaviours. My colleagues keep pointing   
this out to me when I suggest that we should start leveraging the   
computational power of computing grids to analyze complex software   
the same way other researchers are using grids to develop models of   
the natural world, the human genome, etc. They keep quoting that   
bloke Kurt G?del with his pesky little incompletness theorem as   
proof that 100% complete analysis of software cannot be done.   
Frankly, I'm beginning to think this is their excuse for not even   
trying to get me to the 50%. But the point is, even if you can do   
everything "right" in terms of building software to be   
vulnerability-free and behaviourally-benign, you apparently cannot   
achieve 100% verification that you've done so. Ergo, assurance can   
never be 100%.

Current thread:

What is the size of this list?, (continued)
- - - What is the size of this list? Matt Bishop (Aug 20)
    - What is the size of this list? Goertzel, Karen [USA] (Aug 20)
    - What is the size of this list? Matt Bishop (Aug 20)
    - What is the size of this list? Martin Gilje Jaatun (Aug 20)
    - What is the size of this list? Gary McGraw (Aug 20)
- What is the size of this list? Joshua Morin (Aug 19)
- What is the size of this list? Peter G. Neumann (Aug 20)
  - What is the size of this list? Goertzel, Karen [USA] (Aug 20)
    - What is the size of this list? Brad Andrews (Aug 21)
    - What is the size of this list? Goertzel, Karen [USA] (Aug 21)
    - What is the size of this list? Brad Andrews (Aug 21)