Secure Coding mailing list archives

Re: Looking for good software security stats

From: Pascal Meunier <pmeunier () cerias purdue edu>
Date: Tue, 09 Mar 2004 00:14:22 +0000

It's ironic that the registration to see a security book sample is  
"required" by an  asinine javascript.  Turn off javascript and the  
mechanism is defeated.  Oops, does turning off javascript violate the  
DMCA? :-)

Cheers,
Pascal Meunier
Purdue University CERIAS

On Mar 4, 2004, at 8:04 AM, Greenarrow 1 wrote:

At this site they have a Adobe Pdf all about the below subject if  
anyone is
interested in reading:

http://searchsecurity.techtarget.com/tip/ 
1,289483,sid14_gci952377,00.html?track=NL-102&ad=477590

[Ed. That would be the new Hoglund and McGraw book.  Oh, and (free)
registration is required for the above site. KRvW]

Exploiting Software: How to Break Code, Chapter 7 -- Buffer Overflow

Buffer Overflow 101
The buffer overflow remains the crown jewel of attacks, and it is  
likely to
remain so for years to come. Part of this has to do with the common
existence of vulnerabilities leading to buffer overflow. If holes are  
there,
they will be exploited. Languages that have out-of-date memory  
management
capability such as C and C++ make buffer overflows more common than  
they
should be. As long as developers remain unaware of the security
ramifications of using certain everyday library functions and system  
calls,
the buffer overflow will remain commonplace

Regards,
George
Greenarrow1
InNetInvestigations-Forensics


----- Original Message -----
From: "Kenneth R. van Wyk" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 03, 2004 12:17 PM
Subject: [SC-L] Looking for good software security stats

Hi all,

I'm looking for published reports on software vulnerabilities with  
regard
to
the software development process.  With a bit of googling, I've found  
some
good starting points (e.g., www.securitytracker.com/
learn/securitytracker-stats-2002.pdf), that provide stats on
vulnerabilities
by type.  I'm particularly interested in stats that provide insight  
into
where in the software development process the vulnerabilities were
introduced.

Anyone have some good citations to share?

Cheers,

Ken van Wyk
--
KRvW Associates, LLC
http://www.KRvW.com

Current thread:

Looking for good software security stats Kenneth R. van Wyk (Mar 03)
- Re: Looking for good software security stats Chris Wysopal (Mar 03)
- <Possible follow-ups>
- Re: Looking for good software security stats Greenarrow 1 (Mar 04)
  - Re: Looking for good software security stats Pascal Meunier (Mar 08)
- RE: Looking for good software security stats Gary McGraw (Mar 08)