hi sc-l, There are many important security researchers who have given up on proving things about software as non-practical. Among them: Ross Anderson, Virgil Gligor, Bob Blakely, and Fred Schneider. All four of those guys have been past silver bullet victims, and each time we discussed the antiquated notion of formal approaches to software development.
Software security is an intensely practical problem that will require a practical approach. By studying organizations that are doing a decent job, perhaps we can draw some practical lessons. That's precisely what we're up to with the BSIMM <http://bsi-mm.com>. gem http://www.cigital.com/~gem On 8/21/09 11:54 AM, "Brad Andrews" <andr...@rbacomm.com> wrote: I completely agree, though how are we really going to reach this point? We have been talking about this at least since I got into development in the early 1980s. We are not anywhere closer, though we have lots of neat tools that do lots of neat stuff. Unfortunately, our programs are also a lot more complicated, making the "correct" proof much more difficult. Can we really believe it is "just around the corner" to prove this? -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting "Cassidy, Colin (GE Infra, Energy)" <colin.cass...@ge.com>: > Martin Gilje Jaatun wrote: > >> Karen, Matt & all, >> >> Goertzel, Karen [USA] wrote: >> > I'm more devious. I think what needs to happen is that we >> need to redefine what we mean by "functionally correct" or >> "quality" code. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________