One examining only source code will miss any errors or problems that may be introduced by the compiler or linker. As Symantec says - working with the object code is working at the level the attackers work. Of course one would have to verify the object code made public is the same object code that was analyzed/verified. Otherwise you could get the case where the code was advertised as 'checked' and it still have a vulnerability. Of course that could happen anyway - as the process probabily isn't perfect (thought much better than nothing). Not all compilers or linkers are perfect either. There is only one way to get it right, yet so many ways to get it wrong. Mike Hines ----------------------------- Michael S Hines [EMAIL PROTECTED]
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth Van Wyk Sent: Tuesday, January 30, 2007 5:25 AM To: Secure Coding Subject: [SC-L] Dr. Dobb's | The Truth About Software Security | January 20,2007 FYI, there's an interesting article on ddj.com about a Symantec's new "Veracode" binary code analysis service. http://www.ddj.com/dept/security/196902326 Among other things, the article says, "Veracode clients send a compiled version of the software they want analyzed over the Internet and within 72 hours receive a Web-based report explaining--and prioritizing--its security flaws." Any SC-Lers have any first-hand experience with Veracode that they're willing to share here? Opinions? Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________