Re: Standards for developing secure software

From: Peter Gutmann (pgut001at_private)
Date: Thu Jan 02 2003 - 19:47:15 PST

  • Next message: Timo Sirainen: "RE: Writing Secure code"

    David Wheeler <dwheelerat_private> writes:
    
    >But if you really want secure code, the MOST important thing is to get
    >developers trained in how to write secure programs. The basic problem isn't
    >that we need better books or guidance. The problem is that developers don't
    >grok _ANY_ of the books. In short, you only need one meta-practice: if you're
    >a developer, you MUST sit down and learn how to write secure code.  Period.
    
    Yup, that's the single "methodology" which works for writing secure code: Get
    it written by a skilled programmer who has the self-discipline to very
    carefully check every part of their work to make sure there are no problems.
    However, you also need to combine this with a development schedule of "Let us
    know when you think it's ready for public use" (again, with the self-
    discipline to ensure that something gets released at some point).  The whole
    point of the CC and everything like it is to (try to) emulate the
    functionality of the skilled security programmer using unskilled labour.  It
    works about as well as handing a random kid a sheet of music and a fingering
    guide and expecting to hear Yehudi Menudin.  You can't fake this, you need
    actual *talent* to make it happen (although you can produce a lot of paperwork
    claiming it should be OK if that's all you're after).
    
    There are some downsides to this approach.  Marv Schaefer (I think... well it
    sounds like the sort of thing he would have said) once observed that "To get a
    truly secure system, you must ensure that it's designed and built by geniuses.
    Unfortunately, geniuses are in short supply".  Still, I'm much more confident
    that something like Postfix or Qmail is secure than "Unbreakable Oracle", no
    matter how many security certificates and full-page ads Oracle have for it.
    
    Peter.
    



    This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:57:34 PST