Posted by davitb on 25th September 2009
Citation from Bruce Schneier:
Think about the most recent security vulnerability you’ve read about. Maybe it’s a killer packet, which allows an attacker to crash some server by sending it a particular packet.
Maybe it’s one of the gazillions of buffer overflows, which allow an attacker to take control of a computer by sending it a particular malformed message. Maybe it’s an encryption vulnerability, which allows an attacker to read an encrypted message, or fool an authentication system. These are all software issues.
Testing the software from security standpoint is a key requirement especially for software products with security focus. Even if the product has been architected with the best security protocols and security designing best practices in mind, it doesn’t make much sense as the attacker will prefer focusing on the application layer and eventually will find a vulnerability there and exploit it…. Remember, on application layer…
Read the rest of this entry »
Tags: buffer overflow, code review, format string attack, fuzzers, security testing, static analysis, vulnerabilities
Posted in software security, software testing | No Comments »
Posted by davitb on 23rd September 2009
Have you ever thought about why it’s easy for people to create an elegant piano, a huge building with astonishing architecture or an excellent working elevator but in the same time it’s so difficult to create a well working text editor for PC? Why only very few people, when they are opening the garage, have a think that the garage door will fall down and destroy their car… but in the same time I’m sure that all the people, when they type in a text editor on PC, continuously think that the program may crash anytime… really, anytime!
During last several decades people have created a completely new discipline, a new world, something that even the most genius fiction writers didn’t come up with – computers and software. Today it’s in our life everyday, everywhere, almost each second… I think that’s a wonderful progress…
Software and hardware are used everywhere, at home, when we drive a car, when we flight on airplane, when we talk by phone, when we watch TV, when we send a mail or wait in a queue in a restaurant…
However in parallel to this big progress there is one thing that I think is not improving very well over time. That is the quality of software. Although people realize and give a very high priority to the technologies, processes, methodologies, which will raise the opportunity to improve the quality of developing software, however there is no big progress in this area.
What you think is the reason behind this? How can we solve this problem and finally how is software security connected to its quality?
I will try to briefly discuss these questions in this article.
Read the rest of this entry »
Posted in software security, software testing | No Comments »
