On Tue, 21 Jan 2003, Witness wrote: > > > >The problem is that developers don't grok _ANY_ of the books. > > > I wonder if some of this has to do with how the books are laid out. > > I doubt thatīs the main reason. Hmmm.. i just joined this list and i've missed the part of the discussion where the books were mentioned. I'd really love to know what the titles were. Is this list archived anywhere? <snip> > > (1) Many programmers see security as something extremly > > difficult. This > > leads them to give up before they even started. > > This is probably because of how it is presented to most programmers. > There are things that seem daunting, and trying to go over every single > line of code to make sure that a program is up to some security spec > isn't very difficult for small programs, but most programs aren't > small - most are hundreds of thousands of lines of code and that is > difficult. I work for a software developer and my dual role is 'senior programmer' and 'security technical architect'. It is my job to audit the lines of code in large systems (tens/hundreds of thousands of lines of code) for potential security issues. Dealing with security in code in this way is daunting and inefficient even for someone who knows what they are doing! If programmers can be taught to code securely it is a more efficient way of dealing with the issue and IMHO the quality of the result is always better. Coding securely scales well, just as coding scales well :) The problem is that uni courses are not teaching computer science students to 'think secure' when they code, and until lecturers start to teach good security coding practice - coders will code as they were taught - insecurely. > > (2) "It wonīt happen to my application anyway" > > (3) This is a job for the network and technet-guys to do. i disagree. The programmers i work with are well aware that they /should/ be programming with a 'secure' mindset, but they just have no idea where to start. The topic is outside their sphere of knowledge. Some programmers will make an effort, but you also have to look at the commercial pressure on most programmers. Where i work the deadlines are always tight and learning to program securely is far from the programmers minds when they are struggling to get the application out the door as it is :\ L8r, Gustaf Bjorksten
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 16:31:19 PST