Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <E1XtgTn-0003zj-K6@rmm6prod02.runbox.com>
Date: Wed, 26 Nov 2014 12:34:15 -0500 (EST)
From: "David A. Wheeler" <dwheeler@...eeler.com>
To: "oss-security" <oss-security@...ts.openwall.com>
Subject: Apple goto fail - lessons that should be learned

I recently looked at Apple's "goto fail" vulnerability
revealed back in February this year, to see what could or should have
been done to find the vulnerability BEFORE the code was released to users.
You can see the result here:

http://www.dwheeler.com/essays/apple-goto-fail.html

As always, if there are additional measures, let me know.

I've previously done this exercise with:
* Heartbleed: http://www.dwheeler.com/essays/heartbleed.html
* Shellshock: http://www.dwheeler.com/essays/shellshock.html
* POODLE: http://www.dwheeler.com/essays/poodle-sslv3.html

My hope is that everyone involved in software development and/or
security analysis will get better at countering or detecting
vulnerabilities *before* they get out to users.  Learning from the past
seems like a way to help get there.

--- David A. Wheeler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.