Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

BSIMM: Confessions of a Software SecurityAlchemist(informIT)

From: gem at cigital.com (Gary McGraw)
Date: Fri, 20 Mar 2009 23:41:15 -0400
hi pub,

once long ago I spilt a bottle of wine with dan geer in Palo Alto to lament his dead disk drive.  we decided the 
conference sucked anyway and proceeded to the Cowper.  we argued for hours about whether a buffer overflow was a bug or 
a flaw.  if you find one in a code pile (say, caused by a local variable on the stack and a gets call) , it is a bug.  
Or is it a flaw that the C stack grows in an incredibly stupid way?   hmm.  Necker defect.

gem

http;//www.cigital.com/~gem


On 3/20/09 2:28 PM, "Pravir Chandra" <chandra at list.org> wrote:

Well, it seems that there's an interesting nuance here. We don't really have a concrete definition for what software is 
(code, design, compiled bins, etc.). All of these things plus the subjective expectations from designers, users, and 
security folks tend to be the domain for how the term is used.

Now on to 'bug'... Same thing applies. A missing feature can be called a bug just as well as a flawed line of code (or 
even a specified feature that does something undesirable).

But, I'm of the mind that avoiding security problems in software comes down to specification and design. I know Gary 
likes to talk about security problems as bugs (code-level) vs flaws (design-level), but this abstraction isn't helpful 
when trying to build secure software in general (however, it is helpful in convincing people that are bug-chasing to 
look elsewhere too). In fact, I'd be willing to be that for just about every software security problem we've dealt, I 
could give you a design/spec level solution that would prevent it in general (and make auditing and so forth incredibly 
streamlined).

p.



~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
Pravir Chandra                      chandra<at>list<dot>org
PGP:    CE60 0E10 9207 7290 06EB   5107 4032 63FC 338E 16E4
~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~

-----Original Message-----
From: "Goertzel, Karen [USA]" <goertzel_karen at bah.com>

Date: Fri, 20 Mar 2009 10:06:46
To: Benjamin Tomhave<list-spam at secureconsulting.net>; Secure Code Mailing List<SC-L at securecoding.org>
Subject: Re: [SC-L] BSIMM: Confessions of a Software Security
        Alchemist(informIT)


_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________


_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: