Re: [SC-L] Root Canal Treatment vs Source Code Review

[ljknews]

At 10:43 PM -0400 6/30/08, Mary and Glenn Everhart wrote:

> There is another reason I have seen quite often: you can't readily ask 
> the designer of
> the code what it does when he is dead, or when he has left the company 
> (esp. if he works for a competitor).

When I participated (as author) in formal inspection there were
as many defects found (and fixed) in the comments as in the code.
And most people think my comments are better than average.

I have "left the company" but still have some access to see
what defects they have found since.
-- 
Larry Kilgallen
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Root Canal Treatment vs Source Code Review

[Mary and Glenn Everhart]

Jonathan Leffler wrote:
> Under the subject "InternetNews Realtime IT News - Merchants Cope With PCI 
> Compliance", Kenneth Van Wyk <[EMAIL PROTECTED]> wrote:
> [...] In talking with my customers over the past several months, I always 
> find it interesting that the vast majority would sooner have root canal 
> than submit their source code to anyone for external review. [...]
>
> There's a simple reason for that reluctance - most people are painfully 
> aware that their software won't stand the scrutiny that an external review 
> would entail.
>
>   
> 
>
> ___
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> ___
>   
There is another reason I have seen quite often: you can't readily ask 
the designer of
the code what it does when he is dead, or when he has left the company 
(esp. if he works for a competitor). In many such situations I see code 
that gets touched at all with
great fear and trembling, because people are not certain they can build 
it all from
sources.  Eventually that gets replaced, but in some cases that may be 
long delayed.

I've used a few tools to analyze code, and noticed that mostly they 
don't really know
how trustworthy external information is (or even, for sure, what is 
external). Result is
much hand winnowing needed. Still they seem to take less looking than 
learning
an entire code base.

I still favor trying to characterize what functions are supposed to be 
invoked by
calls to routines and trying to characterize this for each 
callgiving rise to
a hopefully small number of permitted patterns for any call location. 
Obviously
this is much easier to do for interpreters like SQL than HTML, but the 
approach
may do better against future attacks than other approaches.

Glenn Everhart

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Root Canal Treatment vs Source Code Review

[Jonathan Leffler]

Under the subject "InternetNews Realtime IT News - Merchants Cope With PCI 
Compliance", Kenneth Van Wyk <[EMAIL PROTECTED]> wrote:
[...] In talking with my customers over the past several months, I always 
find it interesting that the vast majority would sooner have root canal 
than submit their source code to anyone for external review. [...]

There's a simple reason for that reluctance - most people are painfully 
aware that their software won't stand the scrutiny that an external review 
would entail.

-- 
Jonathan Leffler ([EMAIL PROTECTED])
STSM, Informix Database Engineering, IBM Information Management
4400 N First St, San Jose, CA 95134-1257
Tel: +1 408-956-2436 Tieline: 475-2436
"I don't suffer from insanity; I enjoy every minute of it!"



smime.p7s
Description: S/MIME Cryptographic Signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___