Re: [SC-L] bumper sticker slogan for secure software

| Absolute security is a myth. As is designing absolutely secure | software. | >> | >>> I have high hopes in formal methods. | >> | >> All formal methods do is push bugs around... | > | > But people are forced to spend more time with the code, which | > generally helps them (in partic

Re: [SC-L] Resource limitation

| > I was recently looking at some code to do regular expression | > matching, when it occurred to me that one can produce fairly small | > regular expressions that require huge amounts of space and time. | > There's nothing in the slightest bit illegal about such regexp's - | > it's just inherent

[SC-L] Resource limitation

I was recently looking at some code to do regular expression matching, when it occurred to me that one can produce fairly small regular expressions that require huge amounts of space and time. There's nothing in the slightest bit illegal about such regexp's - it's just inherent in regular expressi

Re: [SC-L] "Bumper sticker" definition of secure software

Secure Software: Safe Ex ecution (No, I'm not serious.) -- Jerry ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc -

Re: [SC-L] Where are developers who know how to develop secure so ftware?

On Mon, 5 Jun 2006, David A. Wheeler wrote: | ... One reason is that people can get degrees in | Computer Security or Software Engineering without knowing how to | develop software that receives hostile data. Even the | "Software Engineering Body of Knowledge" essentially | omits security issues (

Re: [SC-L] Comparing Scanning Tools

| Date: Mon, 5 Jun 2006 16:50:17 -0400 | From: "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]> | To: sc-l@securecoding.org | Subject: [SC-L] Comparing Scanning Tools | | The industry analyst take on tools tends to be slightly different than | software practitioners at times. Curious if anyone h

Re: [SC-L] Re: [WEB SECURITY] On sandboxes, and why you should ca re

| Stephen de Vries wrote: | > Hi Dinis, | > | > I think you're overestimating the effectiveness of a sandbox in preventing | > common web app vulnerabilities, and you're instead focussing on the tiny | > fraction of specific attacks that can be stopped with sandboxes. | Well Stephen, I would argue

Re: [SC-L] By default, the Verifier is disabled on .Net and Java

| Kevin is correct, a type confusion attack will allow the bypass of the | security manager simply because via a type confusion attack you will be able | to change what the security manager is 'seeing' | | So in an environment where you have a solid Security Policy (enforced by a | Security