Security pals: what is the most concise secure coding advice you can give to a C devel for embedded? Pls RT and read thread before answering
-
-
Also look at the assembly output, especially on sensitive code. Optimization can break a correctly implemented crypto package.
-
that's hard, though, for your average embedded devel, isn't it? Can we help?
-
Upgrading to a modern compiler is a straightforward task with a clearly measurable goal. You can hire help for it (trail of bits will do it)
-
I agree with you. But most of these devels and companies do not have the budget. What are smaller, simple things we can advise them to do?
-
I'm not sure the magic answer you're looking to find. Using modern compiler tools is something a junior dev can work towards.
-
Dan's advice is useful; another great help is following NASA's embedded coding guidelines. C Eng isn't about security as much as reliability
-
I was skimming this thread and thought you were talking about me for a second.
End of conversation
New conversation -
-
-
Agree with Dan. Once you port to clang use clang-analyze and refactor. Then tooling like ASAN becomes possible.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Or turn them on before getting the code building. Turning them all on should be the default.
-
Setup important dev<>test<>prod code/config early (TLS, etc.) to avoid weakening defaults inline for convenience, that may end up shipped.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.