Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
Kenneth F. Belva

Two Good Quotes from Michael Howard's Paper Entitled "A Process for Performing Security Code Reviews"

Kenneth F. Belva writes the column Perspectives of a Security Maverick
By posted in General August 3, 2006 2:55am

Michael Howard's recent blog entry points us to an article he wrote for IEEE. Here are two interesting quotes from the paper which may be found here:

“Note that, although a general bug count is interesting and useful, we find no evidence at Microsoft of a correlation between general bug quantity and security bug quantity.”

“But first, it’s important to understand one simple rule: you must always know what the attacker controls. If the attacker controls nothing, there’s no security bug; if the attacker controls a great deal of data used in the code, the potential for a security bug skyrockets.”

Popularity: 3%

Bookmark this post
Sphere: Related Content
Popularity: 3%
Print Print
Related Articles:
Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*