hi sc-l, The tie between malware (think zeus and stuxnet) and broken software of the sort we work hard on fixing is difficult for some parts of the market to fathom. I think it's simple: software riddled with bugs and flaws leads directly to the malware problem. No, you don't use static analysis to "find malware" as the AT&T guys sometimes think…you use it to find the kinds of bugs that malware exploits to get a toehold on target servers. One level removed, but a clear causal effect.
Malware is something Cigital has been thinking and writing about for many years. This month's informIT column takes a walk down memory lane and then fast forwards to today. Modern Malware<http://www.informit.com/articles/article.aspx?p=1695979> (March 22, 2011) This month's article is the latest in a series I have been publishing for over 5 years. You can find all of the articles here: http://www.cigital.com/~gem/writings/ Incidentally, a Justice League blog entry featuring the malware article also includes a pointer to a video produced by Dasient about the malware problem. See http://www.cigital.com/justiceleague/ gem _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
