Re: [SC-L] Bugs and flaws

2006-02-07 Thread Crispin Cowan
Thanks for the very detailed and informative explanation. However, I still think it sounds like IE has too large of an attack surface :) It still seems to be the case that IE can be persuaded to execute any of a large amount of code based on its raw (web) input, with (fairly) arbitrary

[SC-L] Where to read about construction quality software

2006-02-07 Thread ljknews
The US Department of Homeland Security seems to be sponsoring a web site at https://buildsecurityin.us-cert.gov/portal/ , devoted to construction of quality software. But feeding that URL to http://validator.w3.org/ produces a list of 277 HTML errors on that software quality page :-) No, I don't

Re: [SC-L] RE: The role static analysis tools play in uncovering elements of design

2006-02-07 Thread Crispin Cowan
Jeff Williams wrote: I think there's a lot more that static analysis can do than what you're describing. They're not (necessarily) just fancy pattern matchers. ... Today's static analysis tools are only starting to help here. Tools focused on dumping out a list of vulnerabilities don't work

RE: [SC-L] Bugs and flaws

2006-02-07 Thread Jeff Williams
I'm not sure which of the three definitions in Brian's message you're not concurring with, but I think he was only listing them as strawmen anyway. In any case, there's no reason that static analysis tools shouldn't be able to find errors of omission. We use our tools to find these 'dogs that

Re: [SC-L] Bugs and flaws

2006-02-07 Thread Julie Ryan
8 principles with 2 more from physical security that apply only imperfectly to computer systems http://www.cap-lore.com/CapTheory/ProtInf/Basic.html On Feb 7, 2006, at 9:59 AM, Jeff Williams wrote: I'm not sure which of the three definitions in Brian's message you're not concurring with,