Re: Standards for developing secure software

From: dirk.dussartat_private
Date: Thu Jan 09 2003 - 07:01:44 PST

  • Next message: Elliott Mitchell: "Re: PGP scripting..."

    Stefan,
    
    I have been doing application security assessment for several clients, and
    my conclusion
    is:
    
    1) there are no security requirements for the system and if they exist they
    are mostly technical: we will be using an authentication
         system, we will be using a firewall
    
    2) If there are security requirements they have not been based on proper
    functional risk analysis
    
    3) Technologies are selected for the technology sake and not based on sound
    risk management principles
    
    4) Lack of securing coding guidelines
    
    5) Lack of security testing
    
    we can continue at infinitum
    
    So my overall conclusion:
    
    Don't blame the programmers because when they start working it is in most
    cases already too late, but
    let's start by evangilizing to the people that have more decisional power.
    Then start to evangelize
    the application architects and designers, functional requirements
    gatherers, ...
    What is needed is "making companies risk management" aware, and security is
    only one single dimension.
    
    This represents my personal view and may not reflect the opinion of my
    employer.
    
    Regards,
    
    --  Dirk
    
    
                                                                                                                                           
                          Stefan Schildt                                                                                                   
                          <stefan.schildt@p        To:       secprogat_private                                                     
                          iceng.se>                cc:                                                                                     
                                                   Subject:  Re: Standards for developing secure software                                  
                          08/01/2003 08:55                                                                                                 
                                                                                                                                           
                                                                                                                                           
    
    
    
    
    
    "Steven M. Christey" wrote:
    
    > David Wheeler said:
    >
    > >The problem is that developers don't grok _ANY_ of the books.
    >
    > I wonder if some of this has to do with how the books are laid out.
    
    I doubt thatīs the main reason.
    
    I deal with leading programmers, and it seems to me that they are very
    well trained to always think about performance in terms of memory and
    CPU
    usage. They rarely never are trained to think about security from line
    one.
    
    When pressing them to do so, this is considered to be a burden. Almost
    like when the teacher forced you to make your first flowchart instead of
    just launching the it all in the code editor.
    
    When asking why I seem to get three answers:
    
    (1) Many programmers see security as something extremly difficult. This
    leads them to give up before they even started.
    
    (2) "It wonīt happen to my application anyway"
    
    (3) This is a job for the network and technet-guys to do.
    
    The common ground is that this is not part of what they think is an
    important part of an application. It doesnīt seem to be part of their
    professional pride in the same way as saving memory and CPU power is.
    This
    in turn seems logical if you look at the world ten years back: no
    networks, expensive memory and slow CPU:s.
    
    So what we need is a wake up call, with lots of missionary work. The
    main
    thing I would say is that all the people devoted to this list should
    also
    be active in other forums for programmers. The programmers want come
    here
    fast enought, so we should come to them.
    
    /Stefan
    
    
    
    
    
    
    **********************************************************************
    This email and any files transmitted with it are confidential and 
    intended solely for the use of the individual or entity to whom they
    are addressed. If you have received this email in error please notify
    the system manager.
    
    **********************************************************************
    



    This archive was generated by hypermail 2b30 : Sat Jan 11 2003 - 11:03:18 PST