SecurityFocus

Writing Secure code Dec 27 2002 12:46PM
Rahul Chander Kashyap (rahul nsecure net) (6 replies)

Re: Writing Secure code Dec 28 2002 03:36AM
K K Mookhey (cto nii co in)

Re: Writing Secure code Dec 27 2002 11:16PM
Bob Bruen (coldrain sover net)

Re: Writing Secure code Dec 27 2002 06:17PM
Dana Epp (dana vulscan com)

Re: Writing Secure code Dec 27 2002 06:03PM
Valdis Kletnieks vt edu (2 replies)

Re: Writing Secure code Dec 28 2002 07:40AM
Glynn Clements (glynn clements virgin net) (2 replies)

Re: Writing Secure code Dec 29 2002 12:35AM
Cesar (cesarc56 yahoo com)

Re: Writing Secure code Dec 28 2002 07:04PM
Crispin Cowan (crispin wirex com)

RE: Writing Secure code Dec 27 2002 08:51PM
Roger Alexander (rta cs colostate edu) (1 replies)

RE: Writing Secure code Dec 30 2002 12:41PM
Matt McClellan (mmcclellan nfr com) (2 replies)

RE: Writing Secure code Jan 01 2003 02:46AM
peleus (peleus peleus net) (1 replies)

RE: Writing Secure code Jan 03 2003 04:36AM
Timo Sirainen (tss iki fi)

Re: Writing Secure code[update] Dec 31 2002 10:20AM
Rahul Chander Kashyap (rahul nsecure net) (2 replies)

Re: Writing Secure code[update] Jan 01 2003 12:21PM
K K Mookhey (cto nii co in) (2 replies)

Re: Writing Secure code[update] Jan 04 2003 12:31AM
Warwick Molloy (wmolloy optushome com au)

Re: Writing Secure code[update] Jan 02 2003 11:55PM
Alex Russell (alex netWindows org)

Re: Writing Secure code[update] Dec 31 2002 08:28PM
Crispin Cowan (crispin wirex com)

RE: Writing Secure code Dec 27 2002 05:46PM
Jeremy Epstein (jepstein webmethods com) (1 replies)

Re: Writing Secure code Dec 27 2002 08:50PM
Valdis Kletnieks vt edu

Re: Writing Secure code Dec 27 2002 05:43PM
John Viega (viega list org) (2 replies)

Re: Writing Secure code Dec 27 2002 09:54PM
Alex Russell (alex netWindows org) (1 replies)

Re: Writing Secure code Dec 27 2002 08:57PM
John Viega (viega list org)

RE: Writing Secure code Dec 27 2002 08:59PM
Matt McClellan (mcc nfr com) (1 replies)

I would explicitly qualify "not exploitable" as "not exploitable in a given
environment". Developers will generally have to make some assumptions when
writing code. Take that code to an environment where one of the assumptions
is invalid and there might be an exploit. I don't see how writing something
that is absolutely "not exploitable" is any more possible than "total
security".

--Matt

> -----Original Message-----
> From: John Viega [mailto:viega (at) list (dot) org [email concealed]]
> Sent: Friday, December 27, 2002 12:44 PM
> To: Rahul Chander Kashyap
> Cc: secprog (at) securityfocus (dot) com [email concealed]
> Subject: Re: Writing Secure code
>
>
> Of course it's possible to write something that's not exploitable.
> However, it's tougher than most people think. For example, I've seen
> applications that the authors assumed were not networked whatsoever,
> and had no special local privilege. However, if the files they read
> and wrote were stored on a remote file system such as an SMB mount,
> then their otherwise non-networked program was completely exploitable.
>
> John
>
> On Friday, December 27, 2002, at 07:46 AM, Rahul Chander Kashyap wrote:
>
> > Hi people,
> >
> > I've been going through some articles on how to write secure code esp.
> > from: http://www.shmoo.com/securecode/
> >
> > I am looking for something more specific for the windows platform. Are
> > there any specific guidelines/standards that one could follow?
> >
> > And one more thing...<this one might be intresting ;-)> Is it possible
> > to write code that is completely secure and not exploitable?
> >
> > Thanks for parsing thru my mail :-)
> >
> > Regards,
> >
> > Rahul Kashyap
> >
> > www.nsecure.net
> > ------------------------
> > Layered Defence
> > ------------------------
> >
> >
>
>

[ reply ]

Re: Writing Secure code Dec 27 2002 09:06PM
John Viega (viega list org)