Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

BSIMM: Confessions of a Software Security Alchemist(informIT)

From: goertzel_karen at bah.com (Goertzel, Karen [USA])
Date: Fri, 20 Mar 2009 10:06:46 -0400
Except when they're hardware bugs. :)

I think the differentiation is also meaningful in this regard: I can specify software that does non-secure things. I 
can implement that software 100% correctly. Ipso facto - no software bugs. But the fact remains that the software 
doesn't validate input because I didn't specify it to validate input, or it doesn't encrypt passwords because I didn't 
specify it to do so. I built to spec; it just happened to be a stupid spec. So the spec is flawed - but the implemented 
software conforms to that stupid spec 100%, so by definition it not flawed. It is, however, non-secure.

--
Karen Mercedes Goertzel, CISSP
Booz Allen Hamilton
703.698.7454
goertzel_karen at bah.com




-----Original Message-----
From: sc-l-bounces at securecoding.org on behalf of Benjamin Tomhave
Sent: Thu 19-Mar-09 19:28
To: Secure Code Mailing List
Subject: Re: [SC-L] BSIMM: Confessions of a Software Security Alchemist(informIT)
 
Why are we differentiating between "software" and "security" bugs? It
seems to me that all bugs are software bugs, ...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20090320/25d2b12d/attachment.html
Previous By Date Next
Previous By Thread Next

Current thread: