> One examining only source code will miss any errors or problems that > may be introduced by the compiler or linker. As Symantec says - > working with the object code is working at the level the attackers > work.
Some attackers, at least. I have no doubt there are plenty of attackers looking over source code hunting for logic bugs. I would say that anyone who thinks that either source-level analysis or binary-level analysis is the One True Answer is either talking about a severely restricted subset or is deluded. (Or, perhaps, is just trying to delude others. :-) Anything that finds bugs helps, whether it's eyeballs and brains, binary analysis tools, source-level analysis tools, magic 8-balls, whatever - if it finds bugs, it's good. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
