Secure Coding mailing list archives
On "application security"
From: "Gary McGraw" <gem () cigital com>
Date: Thu, 19 Feb 2004 18:59:35 +0000
Read this you guys. This paper expands a bit on the distinction I like to draw between application security and software security. http://www.cigital.com/papers/download/software-security-gem.pdf Needless to say, I worry about what happens when the current crop of "application security" vendors looks at actual code. gem p.s. Not that black box testing is *completely* useless. p.p.s. Actual citation: Gary McGraw (2002) Building Secure Software: Better than Protecting Bad Software. IEEE Software, Volume 19, Number 6, pages 57-59. (Point/Counterpoint with Greg Hoglund.) ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ----------------------------------------------------------------------------
Current thread:
- On "application security" Gary McGraw (Feb 19)
- Re: On "application security" Kenneth R. van Wyk (Feb 20)
- <Possible follow-ups>
- RE: On "application security" Gary McGraw (Feb 20)