Secure Coding mailing list archives
BSIMM: Confessions of a Software Security Alchemist(informIT)
From: gem at cigital.com (Gary McGraw)
Date: Fri, 20 Mar 2009 23:30:19 -0400
hi all, my preference is to lead with an Architectural Risk Analysis (and has been since 1997). gem http://www.cigital.com/~gem On 3/20/09 3:07 PM, "Jim Manico" <jim at manico.net> wrote: This is why I'm not fond if leading with a tool. I prefer to lead with architectural/design analysis and targeted manual review of high risk applications. Jim Manico jim at manico.net On Mar 20, 2009, at 4:06 AM, "Goertzel, Karen [USA]" <goertzel_karen at bah.com> wrote: Except when they're hardware bugs. :) I think the differentiation is also meaningful in this regard: I can specify software that does non-secure things. I can implement that software 100% correctly. Ipso facto - no software bugs. But the fact remains that the software doesn't validate input because I didn't specify it to validate input, or it doesn't encrypt passwords because I didn't specify it to do so. I built to spec; it just happened to be a stupid spec. So the spec is flawed - but the implemented software conforms to that stupid spec 100%, so by definition it not flawed. It is, however, non-secure. -- Karen Mercedes Goertzel, CISSP Booz Allen Hamilton 703.698.7454 goertzel_karen at bah.com <mailto:goertzel_karen at bah.com> -----Original Message----- From: sc-l-bounces at securecoding.org on behalf of Benjamin Tomhave Sent: Thu 19-Mar-09 19:28 To: Secure Code Mailing List Subject: Re: [SC-L] BSIMM: Confessions of a Software Security Alchemist(informIT) Why are we differentiating between "software" and "security" bugs? It seems to me that all bugs are software bugs, ... _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org <mailto:SC-L at securecoding.org> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l <http://krvw.com/mailman/listinfo/sc-l> List charter available at - http://www.securecoding.org/list/charter.php <http://www.securecoding.org/list/charter.php> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- The Importance of Type Safety, (continued)
- The Importance of Type Safety Brad Andrews (Mar 23)
- The Importance of Type Safety Jeremy Epstein (Mar 23)
- The Importance of Type Safety AF (Mar 26)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Andy Steingruebl (Mar 24)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Gary McGraw (Mar 25)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Andy Steingruebl (Mar 25)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) ljknews (Mar 25)
- Message not available
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Andy Steingruebl (Mar 25)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) ljknews (Mar 25)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Jim Manico (Mar 20)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Gary McGraw (Mar 20)
- BSIMM: Confessions of a Software Security Alchemist (informIT) John Steven (Mar 20)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Tom Brennan - OWASP (Mar 20)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Jim Manico (Mar 21)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) John Steven (Mar 24)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Jim Manico (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Jim Manico (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Gary McGraw (Mar 19)