RE:Writing Secure code[update]

From: charles lindsay (frostbackengat_private)
Date: Wed Jan 01 2003 - 17:54:56 PST

  • Next message: Warwick Molloy: "Re: Writing Secure code[update]"

    I quite agree with your sentiments, however I would like to take issue (or make rather picky criticism) with the applicability of some of the standards you quote, at least insofar as "writing secure code":
    
    the ISO 9000 series, as I recall, had more to do with documenting a (repeatable) process, and in the best of all worlds, providing a feedback process for improving it.  In many cases, it has merely provided proof that a bad process can be repeated, and well understood.
    
    I had thought the Common Criteria were a standardized measure for evaluating secure systems, without much in the way of guidelines about how to build them.
    
    The Orange Book probably came closest, but seemed largely unworkable, judging by its breadth of application: I believe only one system was ever certified A1, and the most commonly applied level, C2, is so ridiculously trivial that it was even awarded to Windows (albeit NT, not 95).  Personally, I have very little faith in proof of correctness (a baase requirement for A1), as most proofs tended to be larger than the code they were trying to prove.
    
    
    -----Original Message-----
    From: Crispin Cowan [mailto:crispinat_private]
    Sent: Tuesday, December 31, 2002 3:28 PM
    To: Rahul Chander Kashyap
    Cc: Matt McClellan; viegaat_private; secprogat_private
    Subject: Re: Writing Secure code[update]
    
    
    Rahul Chander Kashyap wrote:
    
    >First of all i'm thankful to all for responding to my query. Well this
    shows
    >one thing for sure..we share similar concerns :-)
    >Actually i'm quite surprised that no one as yet has said that yes! we
    follow
    >some standards to <or rather attempt to>make our coding more secure.
    >
    Safety standards. They sound great: specify a standard, have everyone 
    follow it, and we'll have far fewer problems.
    
    The problem is that the standard must be *effective*. Safety standards 
    in other engineering disciplines are only implemented after it is *very* 
    well understood what cookbook recipe a competent engineer should follow 
    when designing a steam boiler, bridge, skyscraper, etc. such that it 
    will not fall down.
    
    We cannot specify a cook book for programmers to follow to write secure 
    code, because we do not know what such a cook book should say. 
    Prematurely specifying a security programming standard would be 
    disasterous, for several reasons:
    
        * Unrealistic expectations: lay people will believe the hype, and
          expect standard-following code to be secure, and then regret it
          when they get hacked anyway.
        * Poor uptate: users starting to notice that the standard doesn't
          work will fail to pay the price premium for standard-following
          products.
        * Contempt: developers who know that the standard doesn't work will
          be contemptuous of it, and refuse to follow it.
    
    With nearly everyone having such a negative view of the standard, it 
    will substantially delay the adoption of standards that are actually 
    effective when they eventually come along.
    
    Oh wait! This has already happened: Orange Book, Common Criteria, and 
    ISO 9000 are all standards that seek to do what you propose, they are 
    all hugely expensive to propose, and none of them work. They have not 
    been widely adopted, and one or two of us are a tad contemptuous of them :)
    
    So long as "writing secure code" is still a research problem, it should 
    not be standardized.
    
    So what can be done? We *do* have a bunch of good practice knowledge 
    (the Saltzer and Schroeder paper 
    <http://web.mit.edu/Saltzer/www/publications/protection/index.html>, 
    books <http://buildingsecuresoftware.com/>, and on-line resources 
    <https://sardonix.org/Auditing_Resources.html>) and that knowledge is 
    very poorly diffused into the general programmer population. *Education* 
    is the key here: share these best practices with every programmer you 
    can. If you are software educator, make sure your students are made 
    aware of these issues.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX                      http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    			    Just say ".Nyet"
    
    
    --------- End Forwarded Message ---------
    
    
    
    _____________________________________________________________
    Get 25MB, POP3, Spam Filtering with LYCOS MAIL PLUS for $19.95/year.
    http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus
    



    This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:46:09 PST