This is exactly the argument I make about Firewalls... they can be a great tool, but if you put a "permit all" at the top, you have just defeated the purpose of the software, and further - you get a false sense of security. Which is why I recommend to anyone checking firewalls that they try penetration tests to make sure the software functions as advertised and as specified. I would postulate that secure programming hasn't taken place if there are holes in the software that allow it to fail or do bad things (like permit all in a Firewalls system). Certainly a part of secure programming is the old adage 'safe programming' - that is checking your inputs before processing. If there are unreasonable inputs, then the program should do something reasonable for the situation - and not abend. That's my spin. Not that there is a lot of software out there that does this... but that is the goal. -------------------------------------------- Michael S Hines Purdue University OS/390 Systems Programmer Management Information 1061 Freehafer Hall West Lafayette, IN 47907-1061 phone 765-494-5875 fax 765-496-1380 email mshinesat_private -----Original Message----- From: Ryan Russell [mailto:ryanat_private] Sent: Tuesday, May 15, 2001 9:40 PM To: mshines Cc: secprogat_private Subject: Re: FW: Repost On Mon, 14 May 2001, mshines wrote: > We don't practice what we preach? :) > > New software = failed software... Not exactly. We went from Listserv, a closed-source software package that does not appear to have security as an important design goal, to ezmlm, written by DJB. Near as I can tell, DJB puts security as a top priority for all of his stuff, and does a good job in that area. Our problems stem from adminitering said package, not from any development effort on our part. I would argue that secure or functional administration of a package is orthogonal to the problem of developing secure software. Or: The software is a good example of secprogramming, just give us a sec to figure the thing out.. :) Ryan
This archive was generated by hypermail 2b30 : Sun May 20 2001 - 23:26:50 PDT