Re: [SC-L] bumper sticker slogan for secure software

2006-07-24 Thread mikeiscool
Sorry, but it is a fact. Yes, you can have provably correct code. Cost is approximately $20,000 per line of code. That is what the procedures required for correct code cost. Oh, and they are kind of super-linear, so one program of 200 lines costs more than 2 programs of 100 lines. Someone

Re: [SC-L] bumper sticker slogan for secure software

2006-07-21 Thread Dana Epp
- From: mikeiscool [mailto:[EMAIL PROTECTED] Sent: Thursday, July 20, 2006 3:25 PM To: Wall, Kevin Cc: Dana Epp; SC-L@securecoding.org Subject: Re: [SC-L] bumper sticker slogan for secure software BTW, does anyone besides me think that it's time to put this thread to rest? I do. But i'm still

Re: [SC-L] bumper sticker slogan for secure software

2006-07-21 Thread der Mouse
What is important is that some magic formal tool could say that some code in language A, where bug of type k is possible, is not equivalent to the version in language B, where type k bugs are impossible, ergo you have found a type k bug (in the absence of any other bug in that section of

Re: [SC-L] bumper sticker slogan for secure software

2006-07-21 Thread mikeiscool
On 7/21/06, Dana Epp [EMAIL PROTECTED] wrote: yeah. but none of this changes the fact that it IS possible to write completely secure code. -- mic And it IS possible that a man will walk on Mars someday. But its not practical or realistic in the society we live in today. I'm sorry mic,

Re: [SC-L] bumper sticker slogan for secure software

2006-07-21 Thread John Wilander
I've actually been using a secure software slogan for a few years, both in teaching and in pitching business. It's taken from Howard and LeBlanc's book Writing Secure Code: - Security features are not secure features - The statement mesmerizes people and aguably needs a necessarily to be more

Re: [SC-L] bumper sticker slogan for secure software

2006-07-21 Thread Mark Graff
:06 -0400 From: Pascal Meunier [EMAIL PROTECTED] Subject: Re: [SC-L] bumper sticker slogan for secure software To: Gary McGraw [EMAIL PROTECTED], Florian Weimer [EMAIL PROTECTED], der Mouse [EMAIL PROTECTED] Cc: SC-L@securecoding.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread mikeiscool
On 7/20/06, Andrew van der Stock [EMAIL PROTECTED] wrote: Actually, it is a myth. For every non-trivial system, there are business pressures on resourcing, deadlines, and acceptable quality (pick any two). Once a business has set their taste for risk, it makes no sense to spend say $10m on

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Dana Epp
yeah. but none of this changes the fact that it IS possible to write completely secure code. -- mic And it IS possible that a man will walk on Mars someday. But its not practical or realistic in the society we live in today. I'm sorry mic, but I have to disagree with you here. It is EXTREMELY

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Florian Weimer
* der Mouse: Absolute security is a myth. As is designing absolutely secure software. I have high hopes in formal methods. All formal methods do is push bugs around. Basically, you end up writing in a higher-level language (the spec you are formally verifying the program meets). You

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Wall, Kevin
Dana, Regarding your remarks about writing perfectly secure code... well put. And your remarks about Ross Anderson... Ross Anderson once said that secure software engineering is about building systems to remain dependable in the face of malice, error, or mischance. I think he has something

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Pascal Meunier
On 7/20/06 11:58 AM, Florian Weimer [EMAIL PROTECTED] wrote: * der Mouse: Absolute security is a myth. As is designing absolutely secure software. I have high hopes in formal methods. All formal methods do is push bugs around. Basically, you end up writing in a higher-level

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Gary McGraw
www.swsec.com -Original Message- From: Pascal Meunier [mailto:[EMAIL PROTECTED] Sent: Thu Jul 20 13:54:42 2006 To: Florian Weimer; der Mouse Cc: SC-L@securecoding.org Subject:Re: [SC-L] bumper sticker slogan for secure software On 7/20/06 11:58 AM, Florian Weimer [EMAIL

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Blue Boar
Gary McGraw wrote: And don't forget about the compiler you will no doubt have to use. Do you trust that? You might want to read Thompson's classic reflections on trusting trust. www.acm.org/classics/sep95 All your compilers are belong to us. While that is always a good read, I'm not

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Florian Weimer
* Pascal Meunier: Also, writing it twice with different languages, especially at different levels of abstraction, makes it less likely that the same bugs will appear in both. Algorithmic issues such as denial of service attacks through unbalanced binary trees or hash table collisions are

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Pascal Meunier
, nobody can help you. Pascal -Original Message- From: Pascal Meunier [mailto:[EMAIL PROTECTED] Sent: Thu Jul 20 13:54:42 2006 To: Florian Weimer; der Mouse Cc: SC-L@securecoding.org Subject: Re: [SC-L] bumper sticker slogan for secure software On 7/20/06 11:58 AM, Florian

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread leichter_jerrold
| Absolute security is a myth. As is designing absolutely secure | software. | | I have high hopes in formal methods. | | All formal methods do is push bugs around... | | But people are forced to spend more time with the code, which | generally helps them (in particular smart people)

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Pascal Meunier
On 7/20/06 3:46 PM, Florian Weimer [EMAIL PROTECTED] wrote: * Pascal Meunier: But it's true for stupid bugs like buffer overflows and format string vulnerabilities, in which we're still swimming, and the proof is the fact that those aren't possible in some languages. Could you name a

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Pascal Meunier
On 7/20/06 3:11 PM, Florian Weimer [EMAIL PROTECTED] wrote: * Pascal Meunier: Also, writing it twice with different languages, especially at different levels of abstraction, makes it less likely that the same bugs will appear in both. Algorithmic issues such as denial of service

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread ljknews
At 9:46 PM +0200 7/20/06, Florian Weimer wrote: * Pascal Meunier: But it's true for stupid bugs like buffer overflows and format string vulnerabilities, in which we're still swimming, and the proof is the fact that those aren't possible in some languages. Could you name a few such language

Re: [SC-L] bumper sticker slogan for secure software

2006-07-19 Thread Pascal Meunier
, 2006 7:53 AM To: SC-L@securecoding.org Subject: [SC-L] bumper sticker slogan for secure software Paolo Perego [mailto:[EMAIL PROTECTED] writes: Software is like Titanic, pleople claim it was unsinkable. Securing is providing it power steering But power steering wouldn't have saved

Re: [SC-L] bumper sticker slogan for secure software

2006-07-19 Thread Andrew van der Stock
Actually, it is a myth. For every non-trivial system, there are business pressures on resourcing, deadlines, and acceptable quality (pick any two). Once a business has set their taste for risk, it makes no sense to spend say $10m on security controls on a product and delay it for six

Re: [SC-L] bumper sticker slogan for secure software

2006-07-19 Thread der Mouse
Absolute security is a myth. As is designing absolutely secure software. I have high hopes in formal methods. All formal methods do is push bugs around. Basically, you end up writing in a higher-level language (the spec you are formally verifying the program meets). You are then subject to

[SC-L] bumper sticker slogan for secure software

2006-07-18 Thread SC-L Subscriber Dave Aronson
Paolo Perego [mailto:[EMAIL PROTECTED] writes: Software is like Titanic, pleople claim it was unsinkable. Securing is providing it power steering But power steering wouldn't have saved it. By the time the iceberg was spotted, there was not enough time to turn that large a boat. Perhaps

Re: [SC-L] bumper sticker slogan for secure software

2006-07-18 Thread Dana Epp
, 2006 7:53 AM To: SC-L@securecoding.org Subject: [SC-L] bumper sticker slogan for secure software Paolo Perego [mailto:[EMAIL PROTECTED] writes: Software is like Titanic, pleople claim it was unsinkable. Securing is providing it power steering But power steering wouldn't have saved

Re: [SC-L] bumper sticker slogan for secure software

2006-07-18 Thread Andrew van der Stock
Best for older cars... My other car is a bit more secure Best for Volvos (or pick another high safety brand): I wish my finance systems are as safe as this car Honk if you want secure software Who has your data? Ask for secure software next time thanks, Andrew smime.p7s Description: S/MIME

Re: [SC-L] bumper sticker slogan for secure software

2006-07-18 Thread Wietse Venema
Dana Epp: Or perhaps less arrogance in believing it won't sink. Absolutely. Here's my $0.02: secure software fails safely Any non-trivial piece of software has defects. My challenge is not to eliminate the last defect, but to make the system safe to use (for some appropriate definition

Re: [SC-L] bumper sticker slogan for secure software

2006-07-18 Thread ...
well... there's no possible definition... unless programmers start thinking and acting in another way, and who commissions the software respect and pays for the real value of it, and users understand the value, Secure Software is an Oxymoron (there may be a reason why this has moron

[SC-L] bumper sticker slogan for secure software

2006-07-17 Thread SC-L Subscriber Dave Aronson
mikeiscool [mailto:[EMAIL PROTECTED] writes: The point remains though: trimming this down into a friendly little phrase is, IMCO, useless. One of the common problems in trying to persuade the masses of ANYTHING, be it the importance of secure software, the factual or moral correctness of