At 7:56 PM +0200 3/19/10, AK wrote: > It is way easier for attackers to reverse engineer desktop applications > than web applications. Assuming proper server configuration, it is next > to impossible for an attacker to get the server side source code or > compressed form (e.g WARs) for a web application and proceed with > disassembly/decompilation/patching.
Assuming proper _desktop_ configuration, the user does not have the ability to modify the programs they will execute, nor change the protections of objects on the system. http://nvd.nist.gov/fdcc/fdcc_faq.cfm Yes, physical access to a computer means ultimately it is possible to gain control, but the necessary measures to not constitute "easier", and given control of one test machine it is not at all trivial to transfer that to control of another machine, especially if the machines are not connected to a common network. -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________