Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aNhibrmfkKuRJVsW@yuggoth.org>
Date: Sat, 27 Sep 2025 22:17:18 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: Re: How to do secure coding and create secure software

On 2025-09-27 23:40:13 +0200 (+0200), Solar Designer wrote:
[...]
> However, if in "functions/methods are secure" you refer only to 
> smaller building blocks, then no, the program built from them may 
> still be insecure. Also "the whole software" isn't necessarily 
> just one program.
[...]

Yes, in practical terms the majority of security vulnerabilities I 
handle day to day lately stem from insecure design choices. The 
software is working as designed, but the design was poorly chosen.

Insecure coding patterns are mostly caught by static analyzers 
during development or review, and so don't typically even merge to 
the public code repository much less end up in the hands of users.
-- 
Jeremy Stanley

Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.