Standards for developing secure software

From: David Wheeler (dwheelerat_private)
Date: Thu Jan 02 2003 - 08:02:30 PST

Next message: Crispin Cowan: "Re: Writing Secure code[update]"

Previous message: K K Mookhey: "Re: Writing Secure code[update]"
Next in thread: Peter Gutmann: "Re: Standards for developing secure software"
Reply: Peter Gutmann: "Re: Standards for developing secure software"
Reply: Steven M. Christey: "Re: Standards for developing secure software"
Reply: dirk.dussartat_private: "Re: Standards for developing secure software"
Reply: Ogle Ron (Rennes): "RE: Standards for developing secure software"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rahul Chander Kashyap <rahulat_private> said:
>>So, how about directing our focus with a aim at reaching ...
>>some kind of a standard/practice which aims at following
>>certain guidelines to be taken at the design stage of any software
>>development process ...
>>yes there are books..i agree but then if we follow something as a standard
>>i'm sure that it shall be more universally accepted and we also cud improve
>>on those! ...
>>But from our/the
>>developer point of view shudn't we have a practice that shud be adhered to??
>>(Say this could start from as simple a thing like ONLY using checked
>>functions like strncpy() instead of strcpy.)


I'm a strong supporter of useful standards, but the emphasis has to be on
"useful".  For example, you can have perfectly insecure code using strncpy().
See my book for why that's so.  Cookie cutters don't work well here.

A standard "guidance" document could be useful; the existing books could

be used as a starting point.  But it requires much more text - it's not just

"don't use function X, use function Y".

But if you really want secure code, the MOST important thing is to
get developers trained in how to write secure programs.
The basic problem isn't that we need better books or guidance.

The problem is that developers don't grok _ANY_ of the books.

In short, you only need one meta-practice: if you're a developer, you
MUST sit down and learn how to write secure code.  Period.
Lots of other things can help (e.g., languages/libraries with fewer
"sharp edges", processes, tools, etc.) - but they will _all_ fail badly if
developers don't know how to do the job.

I half-seriously think we should shut down every CS or Software Engineering
department that doesn't devote at least two hours to the subject of how to
develop your own secure software.  NOT "how the DES algorithm/Kerberos/IPSec/
firewalls work". Because, in the real world, people don't re-write DES - they
implement their own code, and tend to make the same mistakes as everyone
else did before them. Now that the Internet is ubiquitous, EVERY developer
has to write secure code at some time - it's a result of being interconnected.

Grab any of the books I mentioned (mine, Howard's, Viega's) and use that
as a resource.  Talk through the S&S principles, walk through the most
common types of vulnerabilities in real programs and how to avoid them.

In one hour a developer can learn enough to avoid 99% of the mistakes
currently being made.  I've done this many times. You can even download
my 1-hour talk and slides for free from:
  http://www.dwheeler.com/secure-programs

It's criminal that we can't figure out how to get that 1-2 hours.



--- David A. Wheeler

Next message: Crispin Cowan: "Re: Writing Secure code[update]"
Previous message: K K Mookhey: "Re: Writing Secure code[update]"
Next in thread: Peter Gutmann: "Re: Standards for developing secure software"
Reply: Peter Gutmann: "Re: Standards for developing secure software"
Reply: Steven M. Christey: "Re: Standards for developing secure software"
Reply: dirk.dussartat_private: "Re: Standards for developing secure software"
Reply: Ogle Ron (Rennes): "RE: Standards for developing secure software"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:45:39 PST