I have a better idead.  Stop using C++.  Jeeze.

gem



 -----Original Message-----
From:   Robert C. Seacord [mailto:[EMAIL PROTECTED]
Sent:   Thu Dec 21 20:40:35 2006
To:     McGovern, James F (HTSC, IT)
Cc:     Thomas Plum; Secure Coding
Subject:        Re: [SC-L] Compilers


James,

Response below.
> I have been noodling the problem space of secure coding after
> attending a wonderful class taught by Ken Van Wyk. I have been
> casually checking out Fortify, Ounce Labs, etc and have a thought that
> this stuff should really be part of the compiler and not a standalone
> product. Understanding that folks do start companies to make up
> deficiencies in what large vendors ignore, how far off base in my
> thinking am I?
Tom Plum (from Plum Hall, Inc.) is developing a solution called
Safe/Secure C/C++ (SSCC) that might interest you
(http://www.plumhall.com/sscc.html).  SSCC incorporates static-analysis
methods into the compiler as well adding as run-time protections schemes
to eliminate buffer overflows as well as mitigate against other types of
vulnerabilities.  (I know that the claim seems exaggerated, but the
approach seems quite sound and I have yet to identify a case that SSCC
can not eliminate). 

Anyway, there is more information on his web site and I have cc'd Tom on
this message in case you would like to contact him directly.

rCs
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________




----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------

_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

Reply via email to