Standards for developing secure software

From: David Wheeler (dwheelerat_private)
Date: Thu Jan 02 2003 - 08:02:30 PST

  • Next message: Crispin Cowan: "Re: Writing Secure code[update]"

    Rahul Chander Kashyap <rahulat_private> said:
    >>So, how about directing our focus with a aim at reaching ...
    >>some kind of a standard/practice which aims at following
    >>certain guidelines to be taken at the design stage of any software
    >>development process ...
    >>yes there are books..i agree but then if we follow something as a standard
    >>i'm sure that it shall be more universally accepted and we also cud improve
    >>on those! ...
    >>But from our/the
    >>developer point of view shudn't we have a practice that shud be adhered to??
    >>(Say this could start from as simple a thing like ONLY using checked
    >>functions like strncpy() instead of strcpy.)
    
    
    I'm a strong supporter of useful standards, but the emphasis has to be on
    "useful".  For example, you can have perfectly insecure code using strncpy().
    See my book for why that's so.  Cookie cutters don't work well here.
    
    A standard "guidance" document could be useful; the existing books could
    
    be used as a starting point.  But it requires much more text - it's not just
    
    "don't use function X, use function Y".
    
    But if you really want secure code, the MOST important thing is to
    get developers trained in how to write secure programs.
    The basic problem isn't that we need better books or guidance.
    
    The problem is that developers don't grok _ANY_ of the books.
    
    In short, you only need one meta-practice: if you're a developer, you
    MUST sit down and learn how to write secure code.  Period.
    Lots of other things can help (e.g., languages/libraries with fewer
    "sharp edges", processes, tools, etc.) - but they will _all_ fail badly if
    developers don't know how to do the job.
    
    I half-seriously think we should shut down every CS or Software Engineering
    department that doesn't devote at least two hours to the subject of how to
    develop your own secure software.  NOT "how the DES algorithm/Kerberos/IPSec/
    firewalls work". Because, in the real world, people don't re-write DES - they
    implement their own code, and tend to make the same mistakes as everyone
    else did before them. Now that the Internet is ubiquitous, EVERY developer
    has to write secure code at some time - it's a result of being interconnected.
    
    Grab any of the books I mentioned (mine, Howard's, Viega's) and use that
    as a resource.  Talk through the S&S principles, walk through the most
    common types of vulnerabilities in real programs and how to avoid them.
    
    In one hour a developer can learn enough to avoid 99% of the mistakes
    currently being made.  I've done this many times. You can even download
    my 1-hour talk and slides for free from:
      http://www.dwheeler.com/secure-programs
    
    It's criminal that we can't figure out how to get that 1-2 hours.
    
    
    
    --- David A. Wheeler
    



    This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:45:39 PST