At 7:56 PM +0200 3/19/10, AK wrote:
> It is way easier for attackers to reverse engineer desktop applications
> than web applications. Assuming proper server configuration, it is next
> to impossible for an attacker to get the server side source code or
> compressed form (e.g WARs) for a web application and proceed with
> disassembly/decompilation/patching.
Assuming proper _desktop_ configuration, the user does not have
the ability to modify the programs they will execute, nor change
the protections of objects on the system.
http://nvd.nist.gov/fdcc/fdcc_faq.cfm
Yes, physical access to a computer means ultimately it is possible
to gain control, but the necessary measures to not constitute
"easier", and given control of one test machine it is not at all
trivial to transfer that to control of another machine, especially
if the machines are not connected to a common network.
--
Larry Kilgallen
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
