my evolution as a programmer
paulv at canonical.org
Wed Mar 7 20:20:05 EST 2007
Kragen Sitaker [kragen at pobox.com] said:
> Previously, I hadn't understood the psychological aspect of
> code-reading --- you have to understand not just what the code does,
> but what the previous programmer or programmers were thinking when
> they wrote it.
This echoes of some of the things I've read in The Art of Software
Security Assessment. It's been a few months, so I'm paraphrasing, but
they're basically saying "To really get good at this code auditing
thing, you've got to start thinking the programmer that wrote the code
being audited". Then you'll be able to know what other classes of
vulnerabilities (or corner cases in classes of vulnerabilities) the
authors are likely to have over looked.
More information about the Kragen-discuss