On Tue, Mar 22, 2011 at 8:41 AM, Gary McGraw <g...@cigital.com> wrote: > hi sc-l, > > The tie between malware (think zeus and stuxnet) and broken software of the > sort we work hard on fixing is difficult for some parts of the market to > fathom. I think it's simple: software riddled with bugs and flaws leads > directly to the malware problem. No, you don't use static analysis to "find > malware" as the AT&T guys sometimes think…you use it to find the kinds of > bugs that malware exploits to get a toehold on target servers. One level > removed, but a clear causal effect.
Gary, Interestingly, your article only covers malware that gets installed by exploiting a technical vulnerability, not malware that gets installed by exploiting a human vulnerability (social engineering). I've been looking around and haven't found much data on infection rates, percentages, success rates, etc. but "voluntarily" installed malware is a significant and growing concern, and it requires an entirely different approach than that required for malware that exploits a technical vuln. Thoughts? - Andy _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________