Secure Coding mailing list archives
Dr. Dobb's | The Truth About Software Security | January 20, 2007
From: mshines at purdue.edu (Michael S Hines)
Date: Tue, 30 Jan 2007 09:17:36 -0500
One examining only source code will miss any errors or problems that may be introduced by the compiler or linker. As Symantec says - working with the object code is working at the level the attackers work. Of course one would have to verify the object code made public is the same object code that was analyzed/verified. Otherwise you could get the case where the code was advertised as 'checked' and it still have a vulnerability. Of course that could happen anyway - as the process probabily isn't perfect (thought much better than nothing). Not all compilers or linkers are perfect either. There is only one way to get it right, yet so many ways to get it wrong. Mike Hines ----------------------------- Michael S Hines mshines at purdue.edu _____ From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Kenneth Van Wyk Sent: Tuesday, January 30, 2007 5:25 AM To: Secure Coding Subject: [SC-L] Dr. Dobb's | The Truth About Software Security | January 20,2007 FYI, there's an interesting article on ddj.com about a Symantec's new "Veracode" binary code analysis service. http://www.ddj.com/dept/security/196902326 Among other things, the article says, "Veracode clients send a compiled version of the software they want analyzed over the Internet and within 72 hours receive a Web-based report explaining--and prioritizing--its security flaws." Any SC-Lers have any first-hand experience with Veracode that they're willing to share here? Opinions? Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20070130/9c829811/attachment.html
Current thread:
- Dr. Dobb's | The Truth About Software Security | January 20, 2007 Kenneth Van Wyk (Jan 30)
- Dr. Dobb's | The Truth About Software Security | January 20, 2007 ljknews (Jan 30)
- Dr. Dobb's | The Truth About Software Security | January 20, 2007 Michael S Hines (Jan 30)
- Dr. Dobb's | The Truth About Software Security | January 20, 2007 Gadi Evron (Jan 30)
- Dr. Dobb's | The Truth About Software Security | January 20, 2007 der Mouse (Jan 30)
- Dr. Dobb's | The Truth About Software Security | January 20, 2007 Chris Wysopal (Jan 30)