August 2007 - Posts

DREAD and the PHB

Sometimes when I present about secure programming practices, I emphasize education for PM's, testers, and devs, for obvious reasons. Then there's the hard part – educating management. You really have to be able to do that – you need to spend time on security Read More...

Posted 14 August 07 11:38 by david_leblanc | 1 Comments   

DREADful

Both the STRIDE and DREAD systems Michael and I documented in Writing Secure Code have been criticized quite a bit. Neither of them were developed with any real academic rigor, and from a scientific standpoint, neither of them tend to hold up very well. Read More...

Posted 13 August 07 09:21 by david_leblanc | 8 Comments   

More on C++ code auditing

Just now had a chance to take a look at the presentation I referenced last post. It's fairly long and detailed, but worth a thorough reading. You can grab it here: http://taossa.com/ Someone commented on my last post that this stuff should be obvious Read More...

Posted 09 August 07 09:04 by david_leblanc | 0 Comments   

Avoiding C++ vulnerabilities

Just returned from Blackhat – it always seems that the presentations I most want to see happen at the same time as I'm scheduled to talk. Neel Mehta, John McDonald and Mark Dowd were talking about finding exploitable C++ specific flaws, and I was only Read More...

Posted 03 August 07 03:49 by david_leblanc | 4 Comments   

Search

This Blog

• Home
• About
• Email

Tags

Archives

• July 2008 (2)
• June 2008 (2)
• April 2008 (4)
• March 2008 (2)
• February 2008 (7)
• January 2008 (7)
• December 2007 (3)
• November 2007 (1)
• October 2007 (5)
• September 2007 (3)
• August 2007 (4)
• July 2007 (7)
• June 2007 (1)
• May 2007 (3)
• April 2007 (11)
• March 2007 (7)

Syndication

• RSS 2.0
• Atom 1.0