[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Microsoft Outlines New Initiatives in Ongoi ng Security Efforts To Help Customers
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] Microsoft Outlines New Initiatives in Ongoi ng Security Efforts To Help Customers
- From: "Kenneth R. van Wyk" <ken@vanwyk.org>
- Date: Thu, 9 Oct 2003 15:15:42 -0400
On Thursday 09 October 2003 13:50, Dehner, Benjamin T. wrote:
> What is interesting in this article is what Balmer does NOT say.
> Specifically:
> -- code auditing to prevent security problems
> -- Q/A testing of software to detect bugs
> -- testing of patches to prevent patch interaction and over-write
> issues
> -- third party security testing
These all seem to me to be reasonable steps for detecting/preventing/removing
software implementation flaws, but they don't address design or architectural
concerns. That being said, ridding the world of every buffer overflow would
be a great thing. But I'm still concerned with design problems. For
example, an email program that allows a user to mouse-click on an attachment
and run it with all of the privileges of the user has a fundamental design
flaw that removing every single buffer overflow and such won't cure.
Likewise for architectural flaws.
IMHO, developing safe software must be an engineering process that, among
other things, includes tests at each phase of the development life cycle.
Testing source code is just one component of that.
Cheers,
Ken van Wyk
(Co-author, Secure Coding (O'Reilly, 2003), http://www.securecoding.org)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html