Re: Standards for developing secure software

From: Steven M. Christey (coleyat_private)
Date: Tue Jan 07 2003 - 13:49:03 PST

  • Next message: Andrew Steingruebl: "Re: PGP scripting..."

    David Wheeler said:
    
    >The problem is that developers don't grok _ANY_ of the books.
    
    I wonder if some of this has to do with how the books are laid out.
    Based on what I've seen (and I haven't read them cover-to-cover), the
    books are roughly organized according to the types of problems
    encountered, instead of having sections for constructs that
    programmers understand (files, directories, command execution,
    networking) and linking them to the issues that are likely to be found
    in those constructs.  Obviously the same type of vulnerability can
    show up in multiple constructs, but a different organization might
    help programmers better deal with the deluge of information while
    still getting across the "safe programming mindset" that seems to be a
    major goal of the books.  That said, the emphasis on buffer overflows
    is quite deserved :) and these books are excellent regardless of my
    own pet theories.
    
    >in the real world, people don't re-write DES - they implement their
    >own code, and tend to make the same mistakes as everyone else did
    >before them.
    
    The PROTOS project and other "suite auditing" techniques demonstrate
    this problem (most recently, Rapid 7's analysis of SSH2).
    
    >In one hour a developer can learn enough to avoid 99% of the mistakes
    >currently being made... It's criminal that we can't figure out how to
    >get that 1-2 hours.
    
    One would figure that "secure programming certification" would be
    right around the corner, but there must be a good reason why nobody's
    really tried to do that yet.
    
    - Steve
    



    This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 14:54:39 PST