On 06/23/2011 07:52 PM, Matthew Finkel wrote: > Programming secure software is not the easiest task to master. It takes > a lot of planning and enough knowledge about the components you're using > to know exactly how they all work together, as well as how they are not > supposed to be used. In many cases, vulnerabilities originate from lack > of knowledge in novice programmers. Other's are just something that was > overlooked in the planning stage, which becomes much more possible as > the size of the program increases. And, of course, sometimes people make > a mistake.
It's getting easier to write "syntactically" secure code but you can't write "semantically" secure code unless you understand several domains simultaneously. There's been enough foul-ups to make the current generation of tools enforce syntactic security. But just because I *have to* use component XYZ in a function call, doesn't mean I have to make that call with *any* semblance of intelligence about the current state and environment. In other words, as Matthew wrote above, it ain't always that easy. You can bolt the doors and windows, but if your walls are merely sheetrock, a well placed foot will get you in.
