Login/New-Account | Search | Submit a Story! | Greplaw!??
 
GrepLaw
- About
- FAQ
- Discussions
- Messages
- Topics
- Authors
- Preferences
- Older Stuff
- Past Polls
- Submit Story
- XML/RSS

GrepLaw
This site is a production of the Berkman Center for Internet & Society. Please email if you have questions, contributions, or ideas about improving this site.

F & F
Family

Friends

 
Fortifying Your New Code
posted by scubacuda on Tuesday April 06, @01:34PM
from the dept.
Security ZDnet reports that Fortify Software detects common vulnerabilities, such as buffer overflows, format string errors and SQL injection exploits, BEFORE it hits the market.

One has to wonder what kind of liability software companies might incur if they used this product and still knowingly released insecure code.

April Fool's EFFector | Manes on Lessig  >

 

 
GrepLaw Login
Nickname:

Password:

[ Create a new account ]

Related Links
  • ZDNet
  • ZDnet reports
  • Fortify Software
  • More on Security
  • Also by scubacuda
    •

    This discussion has been archived. No new comments can be posted.
    Fortifying Your New Code | Login/Create an Account | Top | 3 comments | Search Discussion
    Threshold:
    The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
    Liability??? Wouldn't it be *lowered*? (Score:2)
    by Seth Finkelstein ({sethf} {at} {sethf.com}) on Tuesday April 06, @03:33PM (#1525)
    User #31 Info | http://sethf.com/
    No tool is perfect. I'm not a lawyer, but I'd think that using such tools would count against liability, as evidence of following reasonable practices.

    By the way, these types of tools are not new. Detecting these bugs is a longstanding software development area, and good developers will have already used similar tools (bad developers, however ...)

    Seth Finkelstein [sethf.com]

    Re:Liability??? Wouldn't it be *lowered*? (Score:1)
    by scubacuda (scubacudaNO@SPAMiname.com) on Tuesday April 06, @10:31PM (#1526)
    User #483 Info | http://www.greplaw.org/
    IANAL either.

    I'd think that they'd lower liability *if* you followed its advice. If such a tool reported your software insecure and you *still* released it (bugs and all), then I would think that you'd be *more* liable.

    (Any lawyers in the house who might clarify?)

    There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie. Noel Godin

    Re:Liability??? Wouldn't it be *lowered*? (Score:1)
    by Seth Finkelstein ({sethf} {at} {sethf.com}) on Wednesday April 07, @01:51AM (#1527)
    User #31 Info | http://sethf.com/
    Assuming this isn't anything very new, the problem is that these tools can't report your software as insecure. They can report that in test #23, there was an overflow bug in the buffer used in line #71 of file #54, which is absolutely wonderful in terms of tracking down problems. But if there's no test case which shows the bug, there's no notification.

    Seth Finkelstein [sethf.com]

    Humanity has the stars in its future, and that future is too important to be lost under the burden of juvenile folly and ignorant superstition. - Isaac Asimov

    [ home | contribute story | older articles | past polls | faq | authors | preferences ]