In other words, flaws and defects caused through developer error, ignorance, negligence etc. can be exploited to cause harm. So even if one could prevent actual intentional malicious inclusions in software, one hasn't eliminated the problem of exploitable flawed logic.
The megachallenge, of course, is looking for what one doesn't actually know is there. Which is why software security testing is so hard. === Karen Mercedes Goertzel, CISSP Lead Associate Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com "I love deadlines. I like the whooshing sound they make as they fly by." - Douglas Adams ________________________________________ From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] on behalf of Peter G. Neumann [neum...@csl.sri.com] Sent: 08 May 2012 11:30 To: Gary McGraw Cc: Secure Code Mailing List Subject: Re: [SC-L] SearchSecurity: Badware versus malware The differences are marginal. > What's worse, bad software or malicious software? ... My book has a pervasive theme: Many things that could happen accidentally could be triggered intentionally. Many things that happen intentionally could be triggered accidentally. Trying to reduce one without the other may be foolhardy in most realistic threat models. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________