David Wheeler <dwheelerat_private> writes: >But if you really want secure code, the MOST important thing is to get >developers trained in how to write secure programs. The basic problem isn't >that we need better books or guidance. The problem is that developers don't >grok _ANY_ of the books. In short, you only need one meta-practice: if you're >a developer, you MUST sit down and learn how to write secure code. Period. Yup, that's the single "methodology" which works for writing secure code: Get it written by a skilled programmer who has the self-discipline to very carefully check every part of their work to make sure there are no problems. However, you also need to combine this with a development schedule of "Let us know when you think it's ready for public use" (again, with the self- discipline to ensure that something gets released at some point). The whole point of the CC and everything like it is to (try to) emulate the functionality of the skilled security programmer using unskilled labour. It works about as well as handing a random kid a sheet of music and a fingering guide and expecting to hear Yehudi Menudin. You can't fake this, you need actual *talent* to make it happen (although you can produce a lot of paperwork claiming it should be OK if that's all you're after). There are some downsides to this approach. Marv Schaefer (I think... well it sounds like the sort of thing he would have said) once observed that "To get a truly secure system, you must ensure that it's designed and built by geniuses. Unfortunately, geniuses are in short supply". Still, I'm much more confident that something like Postfix or Qmail is secure than "Unbreakable Oracle", no matter how many security certificates and full-page ads Oracle have for it. Peter.
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:57:34 PST