• HarriPotero@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    5 months ago

    No. It kind of falls on Dijkstra’s old statement. “Testing can only prove the presence, not absence of bugs.”

    You can prove logical correctness of code, but an abstract thing such as “is there an unknown weakness” is a bit harder to prove. The tricky part is coming up with the correct constraints to prove.

    Security researchers tend to be on the testing side of things.

    A notable example is how DES got its mixers changed between proposal and standardisation. The belief at the time was that the new mixers had some unknown backdoor for the NSA. AFAIK, it has never been proven.