Paco Hope p...@cigital.com wrote:
just as overly-simplistic as
someone who disparages all credentials equally.
On that note... my company (BAE Systems) has been pushing for people
to become CISSPs, because in turn the main client (US gov) has been
pushing for contractors to have a bunch of
I would argue that the security 'bugs' you've described are in fact
functional deficiencies in the implemented design. That is, the exploit
of them has a direct impact on functional performance of the
application, even if it's just a problem with error handling (input
validation).
I would further
I have to post this blog in response.
http://labs.mudynamics.com/2008/07/14/zen-and-the-art-of-fixing-p1-bugs
Love the security testing IS functional testing, BTW.
K.
---
http://www.pcapr.net
On Thu, Mar 19, 2009 at 4:28 PM, Benjamin Tomhave
list-s...@secureconsulting.net wrote:
Why are we
So, what you're saying is that security bugs are really design flaws,
assuming a perfect implementation of the design. Ergo, security bug is
at best a misnomer, and at worst a fatal deficiency in design acumen.
:)
-ben
Goertzel, Karen [USA] wrote:
Except when they're hardware bugs. :)
I
Well, it seems that there's an interesting nuance here. We don't really have a
concrete definition for what software is (code, design, compiled bins, etc.).
All of these things plus the subjective expectations from designers, users, and
security folks tend to be the domain for how the term is
I would refer you to Section 7.2.2.2, Professional Certifications, starting on
page 272 of Software Security Assurance: A State-of-the-Art Report which can
be downloaded from: http://iac.dtic.mil/iatac/download/security.pdf
The report was published in July 2007; there may be additional