Re: How do we improve s/w developer awareness?

["Paco Hope" <bhope () cigital com>]

On the one hand, we're revisiting a topic that comes up like clockwork every
3 months or so.  Someone rants that it's the developers' fault, then someone
will inject a recommendation that tools can allow us to use trained monkeys,
and then someone will bring out an obscure operating system or language and
just say "If we all wrote object oriented snobol on Atari 2600s we wouldn't
have this problem."  Lather. Rinse. Repeat.

On the other hand, I think I can say something constructive in reply to
this.

On 11/11/04 11:46 AM, "ljknews" <[EMAIL PROTECTED]> wrote:
> As a software developer, I care about such issues, but the compiliations
> you list are largely not applicable to the operating system and programming
> languages with which I work.

Advisories, problems, and failures do not have involve your platform or
language to be instructive. In fact, in this age of productization and
commoditization of technology, many of the differences are superficial.
Sure, the stock exploits won't apply, or maybe the concepts need some
translation, but there is absolutely a good reason to be aware of the
failures in other software. The same marketing that makes us think
FooBarSystems Gronkulator 4.2 is much better than Gronkulator 4.1 makes us
think that security issues written up on Gronulator 4.x have nothing to do
with other versions of Gronkulator, or Linux for that matter. There are a
surprisingly small number of tools in hackers' toolboxes, yet they all seem
to fit lots and lots of software.

For example, a developer developing a traditional 3-tier web app using
VB.NET on Windows servers would absolutely benefit from understanding how
the design and architecture of a 3-tier java-based site running on Solaris
failed. You have to be able to extrapolate and get a view of the forest
instead of the trees, but it is valuable indeed.

Should you join every single mailing list in the world and read every single
post? No. Should you only join the security-[platform]-[language] email list
for the one thing you program? Also no. Somewhere between the extremes of
"read everything you can" and working with blinders on is the "right" place
where you read "stuff that I'm not working on, but informs me." It's not
always an easy place to find. But I reject categorical statements like the
one above that appear to say "if it ain't specific to my platform, it has no
value to me."

Paco
--
Paco Hope, CISSP
Senior Software Security Consultant
Cigital, Inc. http://www.cigital.com/
[EMAIL PROTECTED] -- +1.703.585.7868



----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------