RE: Writing Secure code

From: Jeremy Epstein (jepstein@webmethods.com)
Date: 12/27/02

  • Next message: Valdis.Kletnieks@vt.edu: "Re: Writing Secure code"
    From: "Jeremy Epstein" <jepstein@webmethods.com>
    To: "Rahul Chander Kashyap" <rahul@nsecure.net>, <secprog@securityfocus.com>
    Date: Fri, 27 Dec 2002 12:46:05 -0500
    
    

    > And one more thing...<this one might be interesting ;-)> Is it possible
    > to write code that is completely secure and not exploitable?

    Yes.

    main() { exit(0); }

    is completely secure and not exploitable. Beyond that, you're on your own
    :-)

    I think what you really mean is "is it possible to write code THAT DOES
    SOMETHING USEFUL that is completely secure and not exploitable". In
    general, the answer is "no". Any program of even moderate complexity, by
    today's standards, includes so much baggage that it's impossible to say with
    absolute certainty that it's secure. Even if there's no vulnerabilities in
    your code, the stuff you drag in (e.g., DLLs) is highly likely to have
    problems.

    --Jeremy



    Relevant Pages

    • Re: Pentesting tool - Commercial
      ... I common approach is to do a full test using a lot of tools that address known vulnerabilities, common design flaws and such - in combination with penetration testing tools to sort of false positives and confirm what sort of consequences a breach would have. ... In combination with firewall policy analyzes, looking at the routines surrounding security all the way from development to maintenance you'll have some sort of baseline to work out from when it comes to the level of security. ... I want them to acquire secure software and use it ...
      (Pen-Test)
    • RE: Fwd: Terminal services and remote programs.
      ... "help/about vulnerabilities" that were mentioned here a few days ago. ... TerminalServices and RemoteApp deployments, including ... Need to secure your web apps NOW? ...
      (Pen-Test)
    • RE: Fwd: Terminal services and remote programs.
      ... Our team regularly breaks into Terminal Servers ... Need to secure your web apps NOW? ... Cenzic finds more, "real" vulnerabilities ...
      (Pen-Test)
    • Re: php perl dumb question
      ... "the nominal security benefit isn't worth exploring" is arrogant. ... If your script is secure then it's secure. ... reported vulnerabilities in the first 9 months of 2004 alone. ... >> who thought they had written a secure script. ...
      (comp.lang.php)
    • CanSecWest 2008 Mar 26-28
      ... Cross-Site Scripting Vulnerabilities in Flash Authoring Tools - Rich   ... Secure programming with gcc and glibc - Marcel Holtmann, ... Fuzz by Number - Charlie Miller, Independent Security Evaluators ... Vulnerabilities Die Hard - Kowsik Guruswamy, ...
      (Pen-Test)