RE: Standards for developing secure software

From: Gustaf Bjorksten (gustafat_private)
Date: Wed Jan 22 2003 - 22:55:44 PST

  • Next message: Luciano Miguel Ferreira Rocha: "Re: Can System() of Perl be bypassed?"

    On Tue, 21 Jan 2003, Witness wrote:
    
    > > > >The problem is that developers don't grok _ANY_ of the books.
    > > > I wonder if some of this has to do with how the books are laid out.
    > > I doubt thatīs the main reason.
    
    Hmmm.. i just joined this list and i've missed the part of the
    discussion where the books were mentioned. I'd really love to know what
    the titles were. Is this list archived anywhere?
    
    <snip> 
    > > (1) Many programmers see security as something extremly
    > > difficult. This
    > > leads them to give up before they even started.
    > 
    > This is probably because of how it is presented to most programmers.
    > There are things that seem daunting, and trying to go over every single
    > line of code to make sure that a program is up to some security spec
    > isn't very difficult for small programs, but most programs aren't
    > small - most are hundreds of thousands of lines of code and that is
    > difficult.
    
    I work for a software developer and my dual role is 'senior programmer'
    and 'security technical architect'. It is my job to audit the lines of
    code in large systems (tens/hundreds of thousands of lines of code) for
    potential security issues.
    
    Dealing with security in code in this way is daunting and inefficient
    even for someone who knows what they are doing!
    
    If programmers can be taught to code securely it is a more efficient way
    of dealing with the issue and IMHO the quality of the result is always
    better. Coding securely scales well, just as coding scales well :)
    
    The problem is that uni courses are not teaching computer science
    students to 'think secure' when they code, and until lecturers start to
    teach good security coding practice - coders will code as they were
    taught - insecurely.
    
    > > (2) "It wonīt happen to my application anyway"
    > > (3) This is a job for the network and technet-guys to do.
    
    i disagree. The programmers i work with are well aware that they
    /should/ be programming with a 'secure' mindset, but they just have no
    idea where to start. The topic is outside their sphere of knowledge.
    
    Some programmers will make an effort, but you also have to look at the
    commercial pressure on most programmers. Where i work the deadlines are
    always tight and learning to program securely is far from the
    programmers minds when they are struggling to get the application out
    the door as it is :\ 
    
    L8r,
    Gustaf Bjorksten
    



    This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 16:31:19 PST