Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Is this list still active?

from [Casper . Dik] Network Security [Permanent Link]
Subject: Re: Is this list still active?
Date: Wed, 24 Nov 2004 19:49:23 +0100 


We all know how to make secure code because we've got organisations like 
OpenBSD and Wind River showing everyone how it's done. It's a painstaking, 
monastic review process that takes top people. I know that some organisations 
have equivalent inquisitional groups for when they can't afford to have their 
code blow up in their clients face but in everyday code development there's 
no such rigour.


I don't quite share your optimism, and neither does the OpenBSD team.
Not anymore, that is.  I think we all remember how OpenBSD started
with the ideal of core OS with well scrutinized code.  After a while
they've radically extended their approach to include mechanisms to
make it harder to exploit many classes of bugs.

I think it's a folly to assume that it is possible to write bug free
code; and security bugs are not exception.  That's why systems must be
designed such that they don't fail completely when a bug hits.


Yeah, I like to think of code review in these terms; inquisition, monastic. 
Perhaps these guys should wear robes :) Our code serves important and 
sometimes critical social function, we don't just owe it to our shareholders 
to produce good code, we contribute to the infrastructure of society.


Oh, absolutely, but code review should be the last step in a lengthy,
integrated, security process.  If code review is your only security
measure and if "secure programming" your only tool, then you are
in trouble.

Casper
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Java Inner Classes Insecure?, Craig E. Ward
Next by Date:  RE: Is this list still active?, David LeBlanc
Previous by Thread:  Re: Is this list still active?, Jeroen van Drie
Next by Thread:  Re: Is this list still active?, Valdis . Kletnieks
Indexes:  [Date] [Thread] [Top] [All Lists]