Re: Writing Secure code[update]

From: Rahul Chander Kashyap (rahulat_private)
Date: Tue Dec 31 2002 - 02:20:17 PST

Next message: Brian Hatch: "Re: Preventing ptrace()"

Previous message: Frederic Raynal: "Re: Preventing ptrace()"
In reply to: Matt McClellan: "RE: Writing Secure code"
Next in thread: Crispin Cowan: "Re: Writing Secure code[update]"
Next in thread: Glynn Clements: "Re: Writing Secure code"
Reply: Crispin Cowan: "Re: Writing Secure code[update]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi people,
First of all i'm thankful to all for responding to my query. Well this shows
one thing for sure..we share similar concerns :-)
Actually i'm quite surprised that no one as yet has said that yes! we follow
some standards to <or rather attempt to>make our coding more secure.
So, how about directing our focus with a aim at reaching a
methodology/conclusion as to what can be done (by us + others) to say bring
up some ideas of some kind of a standard/practice which aims at following
certain guidelines to be taken at the design stage of any software
development process that could help us prevent the code getting
exploited.(If something like this already exists please do let me know..this
shall save a lot of time!).
yes there are books..i agree but then if we follow something as a standard
i'm sure that it shall be more universally accepted and we also cud improve
on those!
These practices cud also be platform dependent.
I wud like to add here that Yes! i agree with all those who say that what if
the OS itself is to blame,the libraries are buggy,etc.etc..But from our/the
developer point of view shudn't we have a practice that shud be adhered to??
(Say this could start from as simple a thing like ONLY using checked
functions like strncpy() instead of strcpy.)

And yes let us not focus on the *buggy* aspect of the code because out here
we're trying to make sure that what we've written is not exploitable due to
*holes* left by the coder. Someone put it very well :
     * Reliable: something that does everything it is specified to do.
    * Secure : something that does everything it is specified to do..and
nothing else.
I agree that there is a very thin line between the two ;-)
please do let me know what u people feel of this proposal. I'm open to
forming a group (if required) and doing some kind of research on this
aspect.
I too believe that *absolute security is a myth*, but i do believe in taking
some steps so as to reach as close as possible to say *high grade security!*
:o) Any takers on this???

Have a fabulous new year!
Regards,

Rahul C. Kashyap
Software Developer
www.nsecure.net
-------------------
Layered Defence
-------------------

Next message: Brian Hatch: "Re: Preventing ptrace()"
Previous message: Frederic Raynal: "Re: Preventing ptrace()"
In reply to: Matt McClellan: "RE: Writing Secure code"
Next in thread: Crispin Cowan: "Re: Writing Secure code[update]"
Next in thread: Glynn Clements: "Re: Writing Secure code"
Reply: Crispin Cowan: "Re: Writing Secure code[update]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 31 2002 - 15:18:25 PST