Kragen Sitaker [EMAIL PROTECTED] said: > Previously, I hadn't understood the psychological aspect of > code-reading --- you have to understand not just what the code does, > but what the previous programmer or programmers were thinking when > they wrote it.
This echoes of some of the things I've read in The Art of Software Security Assessment. It's been a few months, so I'm paraphrasing, but they're basically saying "To really get good at this code auditing thing, you've got to start thinking the programmer that wrote the code being audited". Then you'll be able to know what other classes of vulnerabilities (or corner cases in classes of vulnerabilities) the authors are likely to have over looked. --paulv
