Secure Coding mailing list archives

Re: SearchSecurity: Badware versus malware

From: "Goertzel, Karen [USA]" <goertzel_karen () bah com>
Date: Thu, 10 May 2012 16:04:31 +0000

In other words, flaws and defects caused through developer error, ignorance, negligence etc. can be exploited to cause 
harm. So even if one could prevent actual intentional malicious inclusions in software, one hasn't eliminated the 
problem of exploitable flawed logic.

The megachallenge, of course, is looking for what one doesn't actually know is there. Which is why software security 
testing is so hard.

===
Karen Mercedes Goertzel, CISSP
Lead Associate
Booz Allen Hamilton
703.698.7454
goertzel_karen () bah com

"I love deadlines. I like the whooshing sound they make as they fly by."
- Douglas Adams

________________________________________
From: sc-l-bounces () securecoding org [sc-l-bounces () securecoding org] on behalf of Peter G. Neumann [neumann () csl 
sri com]
Sent: 08 May 2012 11:30
To: Gary McGraw
Cc: Secure Code Mailing List
Subject: Re: [SC-L] SearchSecurity: Badware versus malware

The differences are marginal.

What's worse, bad software or malicious software? ...


My book has a pervasive theme:
  Many things that could happen accidentally could be triggered
intentionally.
  Many things that happen intentionally could be triggered accidentally.

Trying to reduce one without the other may be foolhardy in most realistic
threat models.

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

Current thread:

SearchSecurity: Badware versus malware Gary McGraw (May 08)
- Re: SearchSecurity: Badware versus malware Ben Laurie (May 11)
  - Re: SearchSecurity: Badware versus malware Gary McGraw (May 12)
    - Re: SearchSecurity: Badware versus malware Ben Laurie (May 12)
    - Re: SearchSecurity: Badware versus malware Tom Brennan (May 13)
- <Possible follow-ups>
- Re: SearchSecurity: Badware versus malware Peter G. Neumann (May 10)
  - Re: SearchSecurity: Badware versus malware Goertzel, Karen [USA] (May 11)