Re: Standards for developing secure software

From: Adrian Wiesmann (awiesmannat_private)
Date: Fri Jan 24 2003 - 01:05:13 PST

  • Next message: epicmcat_private: "RE: Can System() of Perl be bypassed?"

    I like it, when talk comes to the choice of language. Unfortunately, most
    of the time a few points are overlooked which I find are most important.
    Features of different languages and technologies are compared without
    looking at the cause of failure of most projects and software development:
    
    - The coice of technology is most seldom done on the question of what is
    best for that specific task. Either it is done by marketing (MS Partners
    will not choose anything without MS logo on it), or it is chosen by the
    management (We choose Java since everybody talks about it and I don't want
    to risk my head), or it is chosen by the first developer in project (I
    always used C++ and everything else is crap and my ego does not allow me
    to use anything else.)
    
    - The architecture of projects is most of the time either not done and the
    coding of the project starts ahead of any architecture because of
    deadlines or it is done by a not so much experienced developer.
    
    - Security is not a feature, since it is not needed for the business rules
    and in a demo for the customer, he won't notice if any security measures
    are in place or not, but he sees if things run like he want's them to. So
    first the project is made to run and generate results as needed and then
    in the last three minutes before end security is added. Many times even
    after the most testing is done on the code...
    
    I could go on like that, but I think I made a point :) Even my list above
    may look a bit sarcastic. I have seen all of those scenarios more than
    once.
    
    I think you have to choose the technology and language according to the
    environment and task you want to do. Security can be built and enforced
    with every language and most probably within every technology. Java can be
    fast, PHP can be fast, C++ can be slow. It's all about knowing and the
    respective environment one uses the language and technology in. 
    There is only one pitfall: you need to know what you do to do so...
    
    Regards,
    Adrian
    



    This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 10:39:46 PST