Secure Coding mailing list archives
RE: Checking values
From: "Brown, James (Jim)" <JBrown () thrupoint net>
Date: Sun, 07 Dec 2003 17:42:17 +0000
OO based software was designed to address complexity- classes at higher levels depend on code at lower levels. And like any layered activity, the weakest layer (or class) is the limit of security. The problem is you don't *really know* the level of security of the lower classes. You just use them assuming that the other developer did his homework. Without this implicit assumption, you would always have to ask is "Which circle of trust do I want to go to today?" I can't spend time verifying all the lower classes and levels of software I use to write code- I'd never get anything done. What I try to do is verify that I use the most 'mature' classes of code (modules) I can find. This is not a perfect (or even a really good) solution, but I can't think of a better one. jpb ===
Current thread:
- Checking values Chris Richards (Dec 05)
- <Possible follow-ups>
- Re: Checking values carolyn . ryll (Dec 06)
- Re: Checking values Peter G. Neumann (Dec 07)
- RE: Checking values Brown, James (Jim) (Dec 07)