Slashdot Mirror


How Do You Know Your Code is Secure?

bvc writes "Marucs Ranum notes that 'It's really hard to tell the difference between a program that works and one that just appears to work.' He explains that he just recently found a buffer overflow in Firewall Toolkit (FWTK), code that he wrote back in 1994. How do you go about making sure your code is secure? Especially if you have to write in a language like C or C++?"

6 of 349 comments (clear)

  1. You don't by CockMonster · · Score: 5, Funny

    Just get others to formally review it so if anything is found, there's collective responsibilty

  2. Verified by Anonymous Coward · · Score: 5, Funny

    I get mine verified by microsoft

  3. Easy by $pearhead · · Score: 5, Funny
    Just make sure your buffers are really really REALLY big:

    char nooverflowbuffer[234523400];

    sprintf("Enter something:");
    scanf("%s", nooverflowbuffer);
    ... or maybe not ...
  4. Re:What's the matter with C/C++? by Anonymous Coward · · Score: 5, Funny

    'It's not that C/C++ is so insecure by itself'

    yeah a gun by itself is not insecure either....
    try giving it to a baby.....
    well I prefer a baby with a knife...I can still run faster than him...

  5. Re:Some possibilities by zCyl · · Score: 5, Funny
    You cannot know for sure (unless you want to develop code by mathematical proof

    In the words of the great Donald Knuth, "Beware of bugs in the above code; I have only proved it correct, not tried it."
  6. Don't let them use it where it matters by Anonymous Coward · · Score: 5, Funny

    I let my code have evident, gaping security flaws and make them well known. This way people will never use it in situations where security matters.

    regards,
    The author of sendmail