RE: Standards for developing secure software

From: Gustaf Bjorksten (gustafat_private)
Date: Wed Jan 22 2003 - 22:55:44 PST

Next message: Luciano Miguel Ferreira Rocha: "Re: Can System() of Perl be bypassed?"

Previous message: Ed Carp: "Re: Standards for developing secure software"
In reply to: Witness: "RE: Standards for developing secure software"
Next in thread: Glynn Clements: "RE: Standards for developing secure software"
Next in thread: dirk.dussartat_private: "Re: Standards for developing secure software"
Reply: Glynn Clements: "RE: Standards for developing secure software"
Reply: Stormwalker: "RE: Standards for developing secure software"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 21 Jan 2003, Witness wrote:

> > > >The problem is that developers don't grok _ANY_ of the books.
> > > I wonder if some of this has to do with how the books are laid out.
> > I doubt that´s the main reason.

Hmmm.. i just joined this list and i've missed the part of the
discussion where the books were mentioned. I'd really love to know what
the titles were. Is this list archived anywhere?

<snip> 
> > (1) Many programmers see security as something extremly
> > difficult. This
> > leads them to give up before they even started.
> 
> This is probably because of how it is presented to most programmers.
> There are things that seem daunting, and trying to go over every single
> line of code to make sure that a program is up to some security spec
> isn't very difficult for small programs, but most programs aren't
> small - most are hundreds of thousands of lines of code and that is
> difficult.

I work for a software developer and my dual role is 'senior programmer'
and 'security technical architect'. It is my job to audit the lines of
code in large systems (tens/hundreds of thousands of lines of code) for
potential security issues.

Dealing with security in code in this way is daunting and inefficient
even for someone who knows what they are doing!

If programmers can be taught to code securely it is a more efficient way
of dealing with the issue and IMHO the quality of the result is always
better. Coding securely scales well, just as coding scales well :)

The problem is that uni courses are not teaching computer science
students to 'think secure' when they code, and until lecturers start to
teach good security coding practice - coders will code as they were
taught - insecurely.

> > (2) "It won´t happen to my application anyway"
> > (3) This is a job for the network and technet-guys to do.

i disagree. The programmers i work with are well aware that they
/should/ be programming with a 'secure' mindset, but they just have no
idea where to start. The topic is outside their sphere of knowledge.

Some programmers will make an effort, but you also have to look at the
commercial pressure on most programmers. Where i work the deadlines are
always tight and learning to program securely is far from the
programmers minds when they are struggling to get the application out
the door as it is :\ 

L8r,
Gustaf Bjorksten

Next message: Luciano Miguel Ferreira Rocha: "Re: Can System() of Perl be bypassed?"
Previous message: Ed Carp: "Re: Standards for developing secure software"
In reply to: Witness: "RE: Standards for developing secure software"
Next in thread: Glynn Clements: "RE: Standards for developing secure software"
Next in thread: dirk.dussartat_private: "Re: Standards for developing secure software"
Reply: Glynn Clements: "RE: Standards for developing secure software"
Reply: Stormwalker: "RE: Standards for developing secure software"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 16:31:19 PST