| Absolute security is a myth. As is designing absolutely secure
| software.
| >>
| >>> I have high hopes in formal methods.
| >>
| >> All formal methods do is push bugs around...
| >
| > But people are forced to spend more time with the code, which
| > generally helps them (in partic
| > I was recently looking at some code to do regular expression
| > matching, when it occurred to me that one can produce fairly small
| > regular expressions that require huge amounts of space and time.
| > There's nothing in the slightest bit illegal about such regexp's -
| > it's just inherent
I was recently looking at some code to do regular expression matching,
when it occurred to me that one can produce fairly small regular
expressions that require huge amounts of space and time. There's
nothing in the slightest bit illegal about such regexp's - it's just
inherent in regular expressi
Secure Software: Safe Ex
ecution
(No, I'm not serious.)
-- Jerry
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc -
On Mon, 5 Jun 2006, David A. Wheeler wrote:
| ... One reason is that people can get degrees in
| Computer Security or Software Engineering without knowing how to
| develop software that receives hostile data. Even the
| "Software Engineering Body of Knowledge" essentially
| omits security issues (
| Date: Mon, 5 Jun 2006 16:50:17 -0400
| From: "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]>
| To: sc-l@securecoding.org
| Subject: [SC-L] Comparing Scanning Tools
|
| The industry analyst take on tools tends to be slightly different than
| software practitioners at times. Curious if anyone h
| Stephen de Vries wrote:
| > Hi Dinis,
| >
| > I think you're overestimating the effectiveness of a sandbox in
preventing
| > common web app vulnerabilities, and you're instead focussing on the tiny
| > fraction of specific attacks that can be stopped with sandboxes.
| Well Stephen, I would argue
| Kevin is correct, a type confusion attack will allow the bypass of the
| security manager simply because via a type confusion attack you will be
able
| to change what the security manager is 'seeing'
|
| So in an environment where you have a solid Security Policy (enforced by a
| Security