I quite agree with your sentiments, however I would like to take issue (or make rather picky criticism) with the applicability of some of the standards you quote, at least insofar as "writing secure code": the ISO 9000 series, as I recall, had more to do with documenting a (repeatable) process, and in the best of all worlds, providing a feedback process for improving it. In many cases, it has merely provided proof that a bad process can be repeated, and well understood. I had thought the Common Criteria were a standardized measure for evaluating secure systems, without much in the way of guidelines about how to build them. The Orange Book probably came closest, but seemed largely unworkable, judging by its breadth of application: I believe only one system was ever certified A1, and the most commonly applied level, C2, is so ridiculously trivial that it was even awarded to Windows (albeit NT, not 95). Personally, I have very little faith in proof of correctness (a baase requirement for A1), as most proofs tended to be larger than the code they were trying to prove. -----Original Message----- From: Crispin Cowan [mailto:crispinat_private] Sent: Tuesday, December 31, 2002 3:28 PM To: Rahul Chander Kashyap Cc: Matt McClellan; viegaat_private; secprogat_private Subject: Re: Writing Secure code[update] Rahul Chander Kashyap wrote: >First of all i'm thankful to all for responding to my query. Well this shows >one thing for sure..we share similar concerns :-) >Actually i'm quite surprised that no one as yet has said that yes! we follow >some standards to <or rather attempt to>make our coding more secure. > Safety standards. They sound great: specify a standard, have everyone follow it, and we'll have far fewer problems. The problem is that the standard must be *effective*. Safety standards in other engineering disciplines are only implemented after it is *very* well understood what cookbook recipe a competent engineer should follow when designing a steam boiler, bridge, skyscraper, etc. such that it will not fall down. We cannot specify a cook book for programmers to follow to write secure code, because we do not know what such a cook book should say. Prematurely specifying a security programming standard would be disasterous, for several reasons: * Unrealistic expectations: lay people will believe the hype, and expect standard-following code to be secure, and then regret it when they get hacked anyway. * Poor uptate: users starting to notice that the standard doesn't work will fail to pay the price premium for standard-following products. * Contempt: developers who know that the standard doesn't work will be contemptuous of it, and refuse to follow it. With nearly everyone having such a negative view of the standard, it will substantially delay the adoption of standards that are actually effective when they eventually come along. Oh wait! This has already happened: Orange Book, Common Criteria, and ISO 9000 are all standards that seek to do what you propose, they are all hugely expensive to propose, and none of them work. They have not been widely adopted, and one or two of us are a tad contemptuous of them :) So long as "writing secure code" is still a research problem, it should not be standardized. So what can be done? We *do* have a bunch of good practice knowledge (the Saltzer and Schroeder paper <http://web.mit.edu/Saltzer/www/publications/protection/index.html>, books <http://buildingsecuresoftware.com/>, and on-line resources <https://sardonix.org/Auditing_Resources.html>) and that knowledge is very poorly diffused into the general programmer population. *Education* is the key here: share these best practices with every programmer you can. If you are software educator, make sure your students are made aware of these issues. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html Just say ".Nyet" --------- End Forwarded Message --------- _____________________________________________________________ Get 25MB, POP3, Spam Filtering with LYCOS MAIL PLUS for $19.95/year. http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus
This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:46:09 PST