Re: [SC-L] SearchSecurity: Badware versus malware
The article does not suggest otherwise. gem On 5/11/12 1:51 PM, Ben Laurie b...@google.com wrote: On 8 May 2012 07:18, Gary McGraw g...@cigital.com wrote: hi sc-l, What¹s worse, bad software or malicious software? In fact, what¹s the difference? My second column for SearchSecurity is all about that. Read it today. And pass it on. http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badw are-addresses-malware-problem Bottom line: Talking about malware may be more fun and entertaining than talking about endless security bugs, but if we¹re going to combat malware we have to start with the badware vector. Fixing badware universally would plug one hole - and it's certainly a hole worth plugging. But it won't eliminate malware - it seems it is not hard to persuade users to install it for you, for example. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Badware versus malware
On 11 May 2012 20:07, Gary McGraw g...@cigital.com wrote: The article does not suggest otherwise. Well, it certainly does _suggest_ it: All of the things that we do to improve software security are aimed explicitly at the badware problem. It doesn't say it, though, I agree. gem On 5/11/12 1:51 PM, Ben Laurie b...@google.com wrote: On 8 May 2012 07:18, Gary McGraw g...@cigital.com wrote: hi sc-l, What¹s worse, bad software or malicious software? In fact, what¹s the difference? My second column for SearchSecurity is all about that. Read it today. And pass it on. http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badw are-addresses-malware-problem Bottom line: Talking about malware may be more fun and entertaining than talking about endless security bugs, but if we¹re going to combat malware we have to start with the badware vector. Fixing badware universally would plug one hole - and it's certainly a hole worth plugging. But it won't eliminate malware - it seems it is not hard to persuade users to install it for you, for example. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Badware versus malware
In other words, flaws and defects caused through developer error, ignorance, negligence etc. can be exploited to cause harm. So even if one could prevent actual intentional malicious inclusions in software, one hasn't eliminated the problem of exploitable flawed logic. The megachallenge, of course, is looking for what one doesn't actually know is there. Which is why software security testing is so hard. === Karen Mercedes Goertzel, CISSP Lead Associate Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com I love deadlines. I like the whooshing sound they make as they fly by. - Douglas Adams From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] on behalf of Peter G. Neumann [neum...@csl.sri.com] Sent: 08 May 2012 11:30 To: Gary McGraw Cc: Secure Code Mailing List Subject: Re: [SC-L] SearchSecurity: Badware versus malware The differences are marginal. What's worse, bad software or malicious software? ... My book has a pervasive theme: Many things that could happen accidentally could be triggered intentionally. Many things that happen intentionally could be triggered accidentally. Trying to reduce one without the other may be foolhardy in most realistic threat models. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] SearchSecurity: Badware versus malware
hi sc-l, What’s worse, bad software or malicious software? In fact, what’s the difference? My second column for SearchSecurity is all about that. Read it today. And pass it on. http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badware-addresses-malware-problem Bottom line: Talking about malware may be more fun and entertaining than talking about endless security bugs, but if we’re going to combat malware we have to start with the badware vector. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
