[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Auditing code for security problems

To: <full-disclosure@lists.netsys.com>
Subject: [Full-Disclosure] Auditing code for security problems
From: "Bill Royds" <full-disclosure@royds.net>
Date: Wed, 29 Oct 2003 21:27:22 -0500

   In an
article(http://msdn.microsoft.com/msdnmag/issues/03/11/SecurityCodeReview/de
fault.aspx) in the Novermber issue of MSDN magazine,  Michael Howard (who
wrote building secure code), gives pointers to finding security defects in
code.
  "Allocating Time and Effort
  I have a ranking system I use to determine how much relative time I need
to spend reviewing the code. The system is based on the damage potential if
a vulnerability is exploited and the potential for attack. The quota system
is based on the following traits:
Does the code run by default?
Does the code run with elevated privileges?
Is the code listening on a network interface?
Is the network interface unauthenticated?
Is the code written in C/C++?
Does the code have a prior history of vulnerability?
Is this component under close scrutiny by security researchers?
Does the code handle sensitive or private data?
Is the code reusable (for example, a DLL, C++ class header, library, or
assembly)?
Based on the threat model, is this component in a high-risk environment or
subject to many high-risk threats?
"



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] Off topic programming thread
  - From: Alexandre Dulaunoy <alexandre.dulaunoy@ael.be>

Prev by Date: Re: [Full-Disclosure] Off topic programming thread
Next by Date: Re: [Full-Disclosure] System monitor scheme
Previous by thread: Re: [Full-Disclosure] Off topic programming thread
Next by thread: RE: [Full-Disclosure] Off topic programming thread
Index(es):
- Date
- Thread