Re: Thoughts on Shellshock and beyond

[Tim <tim-security () sentinelchicken org>]

On Wed, Oct 08, 2014 at 08:20:04PM -0400, David A. Wheeler wrote:
> On Wed, 8 Oct 2014 15:48:10 -0700, Tim <tim-security () sentinelchicken org> wrote:
> > To me, it's not about anticipating the next bug, it is about providing
> > guidance to developers who care only so much about security so that we
> > can avoid some bugs that we didn't anticipate.
>
> Agree!
>
> > PS- I'm of two minds on this.  More recently I've decided that educating
> >     developers isn't nearly as effective as providing developers APIs and
> >     development environments that make it unlikely they will shoot
> >     themselves in the foot.  It's not that developers can't be trained,
> >     it is that they will probably only be developers for a handful of 
> >     years and move on to other roles later, with a whole new batch of
> >     green coders coming in to fill their positions.  Anyway...
>
> I don't think there's an either/or here.  Yes, if you *can* change the
> tools/libraries/development environments to prevent attacks, or reduce
> their effectiveness, you *should*.
>
> That said, a fool with a tool is still a fool.  There's no way to create
> a development environment that can't be misused.  Thus, you'll always need
> to educate and train developers for situations the system cannot prevent.
> In the long term I think this will be easier, because novice developers will be able
> to learn from the many experts around them.  Today, the number of
> developers who understand security issues is a vanishingly small percentage
> of the total, so the novice has no one to learn from.


No, I agree it's not an either/or.  I'm just beginning to think it is
more cost-effective to fix APIs and platforms than try to educate the
ever-shifting armies of developers.

tim