Magic Crypto Fairy Dust
Wednesday, November 19th 2008 @ 9:01 AM (not yet rated)
Originally posted - January 21, 2007
A term I heard software security guru Gary McGraw use when talking about how you can’t just do a static analysis of an application’s code and expect it to find all vulnerabilities.
That’s because vulnerabilities often creep into applications via poor architectures and designs. Unless analysis is done from the architectural level on down through source code scans and penetration testing, there are only limited types of vulnerabilities that can be found.
In an IT News story called “The Truth About Software Security“, a spinoff of Symantec named Veracode is offering a static analysis service to analyze compiled software code. They don’t analyze source code, just the machine code. It’s not that it’s a bad thing to do, but I expect a lot of companies will view this as a total replacement for many vital Application Security techniques that are sorely needed to bring the security of the average application up to a reasonably high assurance level.
What do you think? Will this result in a net “increase” or “decrease” in software security?
| Share | My live security awareness webinars are a quick and affordable way to provide your entire staff with professional quality security awareness training and education - whether it's general training or for specific teams or industries. I offer group rates and can tailor content to your specific needs. Please call or email me at the coordinates below, or CLICK HERE to see my training webinar catalog.
Scott Wright
The Streetwise Security Coach
Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html
Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec
To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
 |
