oss-sec mailing list archives
Re: How to do secure coding and create secure software
From: Jeremy Stanley <fungi () yuggoth org>
Date: Sat, 27 Sep 2025 22:17:18 +0000
On 2025-09-27 23:40:13 +0200 (+0200), Solar Designer wrote: [...]
However, if in "functions/methods are secure" you refer only to smaller building blocks, then no, the program built from them may still be insecure. Also "the whole software" isn't necessarily just one program.
[...]Yes, in practical terms the majority of security vulnerabilities I handle day to day lately stem from insecure design choices. The software is working as designed, but the design was poorly chosen.
Insecure coding patterns are mostly caught by static analyzers during development or review, and so don't typically even merge to the public code repository much less end up in the hands of users.
-- Jeremy Stanley
Attachment:
signature.asc
Description:
Current thread:
- How to do secure coding and create secure software Amit (Sep 27)
- Re: How to do secure coding and create secure software Solar Designer (Sep 27)
- Re: How to do secure coding and create secure software Jeremy Stanley (Sep 27)
- Re: How to do secure coding and create secure software Amit (Sep 28)
- Re: How to do secure coding and create secure software Jeremy Stanley (Sep 28)
- Re: How to do secure coding and create secure software Katie (Sep 28)
- Re: How to do secure coding and create secure software Eli Schwartz (Sep 28)
- Re: How to do secure coding and create secure software Jeffrey Walton (Sep 28)
- Re: How to do secure coding and create secure software Amit (Sep 29)
- Re: How to do secure coding and create secure software Jeremy Stanley (Sep 29)
- Re: How to do secure coding and create secure software David A. Wheeler (Sep 29)
- Re: How to do secure coding and create secure software Amit (Sep 29)
- Re: How to do secure coding and create secure software Dan Cross (Sep 29)
- Re: How to do secure coding and create secure software Solar Designer (Sep 27)