On Mon, Aug 06, 2001 at 02:00:31PM +1000, Richard Archer wrote:
> And on a related note, in the article Bernard forwarded to the list:
>
> >the Secure Windows Initiative, said the company undertakes a massive effort
> >to find security flaws in products "before they get out the door."
> >
> >The centerpiece of the effort, said Lipner, is a program called Prefix. It
> >scans the entire code base of the Windows operating system and all Office
> >products for potential vulnerabilities. When one is found, Prefix
> >identifies the "offending coding practice that caused the vulnerability,"
>
> So, it seems M$ relies on a *piece of software* to scan source files
> looking for vulnerabilities. What a completely ridiculous way of
> performing a security audit!
much as i hate to defend microsoft for anything, programs to scan source
code for common vulnerabilities and coding mistakes are useful tools.
in fact, there are several tools like that in the free software world.
they're certainly not the only auditing that should be done, but such
tools can automate the finding of many common problems.
craig
-- craig sanders <cas@taz.net.au>Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch
This archive was generated by hypermail 2.1.1 : Fri Aug 31 2001 - 03:10:03 EST