It's a good article, but an important point is missing.

Different modules are developped in different assumptions about the user.

Most programmers consider users as friends, i.e. they don't expect them to feed garbage to the program.

However, modules written in such assumptions (e.g. the modified JPEG library) are used in the environment where evil intentions of some parties cannot be ruled out.

This is the core of most problems mentioned in the article.

The solution would be to always link the assumptions to the code.

This way, a "user-trusting" code will not be linked to a "paranoid" program unless it is upgraded to the required security level through a code review.

This is mostly a management issue, but it affects every developer.

Every module should be assigned a security level throughout all the development cycle.

This way you don't open new holes by including new components.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/80/3294#3294