[SC-L] Resource limitation

2006-07-17 Thread leichter_jerrold
I was recently looking at some code to do regular expression matching, when it occurred to me that one can produce fairly small regular expressions that require huge amounts of space and time. There's nothing in the slightest bit illegal about such regexp's - it's just inherent in regular

Re: [SC-L] Comparing Scanning Tools

2006-06-07 Thread leichter_jerrold
| Date: Mon, 5 Jun 2006 16:50:17 -0400 | From: McGovern, James F (HTSC, IT) [EMAIL PROTECTED] | To: sc-l@securecoding.org | Subject: [SC-L] Comparing Scanning Tools | | The industry analyst take on tools tends to be slightly different than | software practitioners at times. Curious if anyone has

Re: [SC-L] Where are developers who know how to develop secure so ftware?

2006-06-07 Thread leichter_jerrold
On Mon, 5 Jun 2006, David A. Wheeler wrote: | ... One reason is that people can get degrees in | Computer Security or Software Engineering without knowing how to | develop software that receives hostile data. Even the | Software Engineering Body of Knowledge essentially | omits security issues (a

Re: [SC-L] By default, the Verifier is disabled on .Net and Java

2006-05-15 Thread leichter_jerrold
| Kevin is correct, a type confusion attack will allow the bypass of the | security manager simply because via a type confusion attack you will be able | to change what the security manager is 'seeing' | | So in an environment where you have a solid Security Policy (enforced by a |