Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis

From: ljknews at mac.com (ljknews)
Date: Mon, 22 Jan 2007 15:38:04 -0500
At 1:52 PM -0500 1/22/07, Kenneth Van Wyk wrote:

Content-Type: multipart/signed; protocol="application/pgp-signature";
      micalg=pgp-sha1; boundary="Apple-Mail-12-58709954"
Content-Transfer-Encoding: 7bit

Ok, last software security news item for today, I promise.  :-)  This
article (see

<http://www.darkreading.com/document.asp?doc_id=115110&WT.svl=news1_1>http://www.darkreading.com/document.asp?doc_id=115110&WT.svl=news1_1)
is about a couple of new startup companies.  One of them in particular,
Veracode, may be of some interest here.  The article says, "Veracode,
founded by Chris Wysopal and other former executives of @stake, is now
offering patented binary-code analysis of software for enterprises that
want to analyze their software's security on a regular basis. The ASP will
also offer security reviews of enterprise products and security analysis
of third-party apps for software developers."

The article also provides some counterpoints, including some from Gary
McGraw, that are worth reading.  Among other things, Gary says, "However,
if you want real security analysis you have to go past the binary, past
the source code, and actually consider the design."

Opinions on binary vs. source code (and design!) analysis, anyone?


Analyzing source code is independent of machine architecture.

My guess is that if a company actually is capable of analyzing
binary code they only do it for the highest volume instruction
sets.

My guess is that attackers will go after machines they feel are
less protected.

Efforts which merely change attacker behavior are a waste of time.
-- 
Larry Kilgallen
Previous By Date Next
Previous By Thread Next

Current thread: