At 9:03 PM -0500 11/26/08, Mark Rockman wrote: > OK. So you decide to outsource your programming assignment to Asia and >demand that they deliver code that is so locked down that it cannot >misbehave. How can you tell that what they deliver is truly locked down? >Will you wait until it gets hacked? What simple yet thorough inspection >process is there that'll do the job? Doesn't exist, does it?
Certainly it exists. Rerun the verification of the formal proof, as used in the Tokeneer project I mentioned earlier. Of course a formal proof only proves that software conforms to a specification, so unless you have a specification you have nothing, and that is what a lot of software is lacking. -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________