Secure Coding mailing list archives
What is the size of this list?
From: gem at cigital.com (Gary McGraw)
Date: Thu, 20 Aug 2009 09:26:32 -0400
hi martin and rafael, I agree with Martin. Software security is essential in most embedded systems. Also note that there is an interesting fractal line between hardware and software in such systems that often makes for interesting security situations. Consider Java-based smart cards (which I worked on a decade ago) which were susceptible to both malicious applets and differential power analysis. Designing a secure system involved understanding both the hardware and the software. At Cigital we continue to do lots of software security work with embedded systems companies, especially in the mobile space. The OS vendors, the carriers, and the application providers all have security responsibilities (and can all screw the whole thing up). By the way, QUALCOMM was a member of the BSIMM study and has a mature software security initiative underway. See http://bsi-mm.com gem company www.cigital.com podcast www.cigital.com/silverbullet podcast www.cigital.com/realitycheck blog www.cigital.com/justiceleague book www.swsec.com On 8/20/09 5:14 AM, "Martin Gilje Jaatun" <secse-chair at sislab.no> wrote: Rafael Ruiz wrote:
I am a lurker (I think), I am an embedded programmer and work at Lowrance (a brand of the Navico company), and I don't think I can't provide too much to security because embedded software is closed per se.
IMHO, it is very dangerous to assume that "since it is embedded, nobody has the source code". This "security through obscurity" approach was employed by the Bell telephone system in th 70's and 80's, but it turned out that there was no limit to what Phone Phreaks and their kin could dig up of supposedly secret information, including schematics and instruction manuals. In more recent times, reverse engineering of the DVD Content Scrambling System (CSS) and various RFID electronic fare cards has proven that if someone has physical access to a device, you must also assume that they can access the software. -Martin _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- What is the size of this list? Arian J. Evans (Aug 18)
- What is the size of this list? Kenneth Van Wyk (Aug 19)
- What is the size of this list? Arian J. Evans (Aug 19)
- What is the size of this list? SC-L Reader Dave Aronson (Aug 19)
- What is the size of this list? Rafael Ruiz (Aug 19)
- What is the size of this list? Rob Floodeen (Aug 19)
- What is the size of this list? Matt Bishop (Aug 20)
- What is the size of this list? Goertzel, Karen [USA] (Aug 20)
- What is the size of this list? Matt Bishop (Aug 20)
- What is the size of this list? Rafael Ruiz (Aug 19)
- What is the size of this list? Kenneth Van Wyk (Aug 19)
- What is the size of this list? Martin Gilje Jaatun (Aug 20)
- What is the size of this list? Gary McGraw (Aug 20)
- <Possible follow-ups>
- What is the size of this list? Peter G. Neumann (Aug 20)
- What is the size of this list? Goertzel, Karen [USA] (Aug 20)
- What is the size of this list? Brad Andrews (Aug 21)
- What is the size of this list? Goertzel, Karen [USA] (Aug 21)
- What is the size of this list? Brad Andrews (Aug 21)
- What is the size of this list? Goertzel, Karen [USA] (Aug 20)