Re: [SC-L] Dr. Dobb's | The Truth About Software Security | January 20, 2007

Tue, 30 Jan 2007 08:12:02 -0800 

On Tue, 30 Jan 2007, Michael S Hines wrote:
> One examining only source code will miss any errors or problems that may be
> introduced by the compiler or linker.  As Symantec says - working with the
> object code is working at the level the attackers work.  
>  
> Of course one would have to verify the object code made public is the same
> object code that was analyzed/verified.   Otherwise you could get the case
> where the code was advertised as 'checked' and it still have a
> vulnerability.    Of course that could happen anyway - as the process
> probabily isn't perfect (thought much better than nothing).   
>  
> Not all compilers or linkers are perfect either.   
>  
> There is only one way to get it right, yet so many ways to get it wrong.   

One question which would be very interesting is whether this is just
static analysis (which of course leads to other questions) or if this is
done while the binary is running.

        Gadi.

>  
> Mike Hines
>  
> -----------------------------
> Michael S Hines
> [EMAIL PROTECTED] 
>  
> 
>   _____  
> 
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> On Behalf Of Kenneth Van Wyk
> Sent: Tuesday, January 30, 2007 5:25 AM
> To: Secure Coding
> Subject: [SC-L] Dr. Dobb's | The Truth About Software Security | January
> 20,2007
> 
> 
> FYI, there's an interesting article on ddj.com about a Symantec's new
> "Veracode" binary code analysis service.
> 
> http://www.ddj.com/dept/security/196902326 
> 
> Among other things, the article says, "Veracode clients send a compiled
> version of the software they want analyzed over the Internet and within 72
> hours receive a Web-based report explaining--and prioritizing--its security
> flaws." 
> 
> 
> Any SC-Lers have any first-hand experience with Veracode that they're
> willing to share here? Opinions?
> 
> 
> Cheers,
> 
> 
> Ken
> 
> -----
> Kenneth R. van Wyk
> SC-L Moderator
> KRvW Associates, LLC
> http://www.KRvW.com
> 
> 
> 
> 
> 

_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

Reply via email to