), and the absence of rate
limitation on expensive operations can create DoS vulnerabilities. All
these were found the old fashioned way, with a code audit.
Pascal Meunier
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information
:
Here's one for the daily UGH!
Great points raised by Pascal Meunier (see below) about poorly
implemented language support for Prepared Statement SQL calls. In
particular, Python's pyPGSQL actually takes its prepared statement and
translates internally to an old-style concatenated string query
trust boundaries are crossed, but the
importance of the find seems a little exaggerat
ed.
Regards,
Pascal Meunier
Kenneth Van Wyk wrote:
Greetings SC-Lers,
Things have been pretty quiet here on the SC-L list...
I hope everyone saw David Litchfield's recent announcement of a new
category
On 8/31/06 8:05 PM, mikeiscool [EMAIL PROTECTED] wrote:
On 9/1/06, Pascal Meunier [EMAIL PROTECTED] wrote:
On 8/30/06 3:46 PM, Tim Hollebeek [EMAIL PROTECTED] wrote:
What you've proposed are exceptions. They do help (some) in separating
the normal logic from error handling
I take exception (haha!) at having them dismissed like this. It sounds like
you encountered some badly written exception handling code. Error handling
can also be really bad, where at every call layer the original error gets
filtered or translated to a point where you just know something went
be part of good programming practices.
Pascal Meunier
Tim Hollebeek
Research Scientist
Teknowledge, Corp.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael S Hines
Sent: Wednesday, August 30, 2006 11:07 AM
To: sc-l@securecoding.org
be highlighted and caught. It's not revolutionary, but it's better than
what we have now. Would it be good enough? I can picture people deleting
those assert statements that just make their programs crash ;)
Pascal Meunier
On 8/30/06 2:07 PM, Michael S Hines [EMAIL PROTECTED] wrote:
a simple
Nice. I'll mention it in my secure programming class this semester. I'd be
interested in any exercises/labs based on it, appropriate for undergrads.
Cheers,
Pascal
On 8/17/06 10:04 AM, Robert C. Seacord [EMAIL PROTECTED] wrote:
The CERT/CC has released a beta version of a secure integer
On 7/20/06 11:58 AM, Florian Weimer [EMAIL PROTECTED] wrote:
* der Mouse:
Absolute security is a myth. As is designing absolutely secure
software.
I have high hopes in formal methods.
All formal methods do is push bugs around. Basically, you end up
writing in a higher-level
, nobody can help you.
Pascal
-Original Message-
From: Pascal Meunier [mailto:[EMAIL PROTECTED]
Sent: Thu Jul 20 13:54:42 2006
To: Florian Weimer; der Mouse
Cc: SC-L@securecoding.org
Subject: Re: [SC-L] bumper sticker slogan for secure software
On 7/20/06 11:58 AM, Florian
On 7/20/06 3:46 PM, Florian Weimer [EMAIL PROTECTED] wrote:
* Pascal Meunier:
But it's true for stupid bugs like buffer overflows and format string
vulnerabilities, in which we're still swimming, and the proof is the fact
that those aren't possible in some languages.
Could you name
On 7/20/06 3:11 PM, Florian Weimer [EMAIL PROTECTED] wrote:
* Pascal Meunier:
Also, writing it twice with different languages, especially at different
levels of abstraction, makes it less likely that the same bugs will appear
in both.
Algorithmic issues such as denial of service
).
-It conveys the notion that insecure software is shoddy;
-It conveys the notion that there are people who will find out that you run
insecure software;
-It may motivate some people to care about security by invoking social
stigma ;)
Cheers,
Pascal Meunier
Purdue University CERIAS
On 7/15/06 3:27
information about it. I am also
interested in the Linux Security Modules Interface.
Regards,
Pascal Meunier
On 4/2/06 6:49 PM, Crispin Cowan [EMAIL PROTECTED] wrote:
This is exactly what AppArmor http://en.opensuse.org/Apparmor was
designed for: conveniently confining applications to only be able
On 1/30/06 1:09 PM, Kenneth R. van Wyk [EMAIL PROTECTED] wrote:
Any AJAX experts here want to comment on the eWeek article cited below?
http://www.eweek.com/article2/0,1895,1916673,00.asp
It claims, among other things that, AJAX dramatically increases the amount of
XML network traffic
15 matches
Mail list logo