I agree with Ryan, at the top skill levels anyway. Binary reverse engineering seems to have evolved to the point where I refer to binary as "source-equivalent," and I was told by some well-known applied researcher that some vulns are easier to find in binary than source.
But the bulk of public disclosures are not by top researchers, so I'd suspect that in the general field, source inspection is more accessible than binary. So with closed source, people are more likely to use black box tools, which might not be as effective in finding things like format string issues, which often hide in rarely triggered error conditions but are easy to grep for in source. And maybe the people who have source code aren't going to be as likely to use black box testing, which means that obscure malformed-input issues might not be detected. This is probably the general researcher; the top researcher is more likely to do both. Since techniques vary so widely across individuals and researcher bias is not easily measurable, it's hard to get a conclusive answer about whether there's a fundamental difference in the *latent* vulns in open vs. closed (modulo OS-specific vulns), but the question is worth exploring. On Tue, 12 Jun 2007, Blue Boar wrote: > Crispin Cowan wrote: > > Do you suppose it is because of the different techniques researchers use > > to detect vulnerabilities in source code vs. binary-only code? Or is > > that a bad assumption because the hax0rs have Microsoft's source code > > anyway? :-) > > I'm in the process of hiring an outside firm for security review of the > product for the day job. They didn't seem particularly interested in the > source, the binaries are sufficient. It appears to me that the > distinction between source and object is becoming a bit moot nowadays. > > > Ryan > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________