August Derleth said:
Indeed. This is the best possible route to defensive programming, and I
wish more Microsoft programmers (for example) thought this way.
I think it is too weak.
For input, assume the input doesn't come from a user, but from a
completely unscrupulous attacker who is paid serious money to cause as
much damage as possible.
Assume that the attacker has both the source code and the assembler
code; the source code is useful to find where your program has undefined
behaviour according to the C Standard, the assembler code tells the
attacker what your implementation actually does in the case of undefined
behavior.
Assume that the attacker's goal is not just to crash your program, but
to take control of your computer, and any undefined behavior in your
programmer could give the attacker the means to achieve this. Just
assume that a successful attacker will force the computer to send _your_
name, address, date of birth, mother's maiden name, social security,
passport, driver license and credit card numbers, bank details and so on
to the attacker, leaving a ghastly amount of child pornography on your
computer in exchange which will be discovered by your
employer/wife/girlfriend, leading to job loss/loss of important body
parts and several years of jailtime. That should keep you motivated, and
motivation is the most important thing for secure programming.