mikeiscool wrote: > On 7/17/06, Crispin Cowan <[EMAIL PROTECTED]> wrote: >> > Goertzel Karen wrote: >> > I've been struggling for a while to synthesise a definition of secure >> > software that is short and sweet, yet accurate and comprehensive. >> >> My favorite is by Ivan Arce, CTO of Core Software, coming out of a >> discussion between him and I on a mailing list about 5 years ago. >> >> Reliable software does what it is supposed to do. Secure software >> does what >> it is supposed to do, and nothing else. > and what if it's "supposed" to take unsanitzed input and send it into > a sql database using the administrators account? > > is that secure? "supposed to" goes to intent. If it is a bug that allows this, then it was not intentional. If it was intended, then (from this description) it was likely a Trojan Horse, and it is secure from the perspective of the attacker who put it there.
IMHO, bumper sticker slogans are necessarily short and glib. There isn't room to put in all the qualifications and caveats to make it a perfectly precise statement. As such, mincing words over it is a futile exercise. Or you could just print a technical paper on a bumper sticker, in really small font :) Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Necessity is the mother of invention ... except for pure math _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
