Secure Coding mailing list archives
Re: How do we improve s/w developer awareness?
From: "Paco Hope" <bhope () cigital com>
Date: Thu, 11 Nov 2004 21:59:33 +0000
On the one hand, we're revisiting a topic that comes up like clockwork every 3 months or so. Someone rants that it's the developers' fault, then someone will inject a recommendation that tools can allow us to use trained monkeys, and then someone will bring out an obscure operating system or language and just say "If we all wrote object oriented snobol on Atari 2600s we wouldn't have this problem." Lather. Rinse. Repeat. On the other hand, I think I can say something constructive in reply to this. On 11/11/04 11:46 AM, "ljknews" <[EMAIL PROTECTED]> wrote:
As a software developer, I care about such issues, but the compiliations you list are largely not applicable to the operating system and programming languages with which I work.
Advisories, problems, and failures do not have involve your platform or language to be instructive. In fact, in this age of productization and commoditization of technology, many of the differences are superficial. Sure, the stock exploits won't apply, or maybe the concepts need some translation, but there is absolutely a good reason to be aware of the failures in other software. The same marketing that makes us think FooBarSystems Gronkulator 4.2 is much better than Gronkulator 4.1 makes us think that security issues written up on Gronulator 4.x have nothing to do with other versions of Gronkulator, or Linux for that matter. There are a surprisingly small number of tools in hackers' toolboxes, yet they all seem to fit lots and lots of software. For example, a developer developing a traditional 3-tier web app using VB.NET on Windows servers would absolutely benefit from understanding how the design and architecture of a 3-tier java-based site running on Solaris failed. You have to be able to extrapolate and get a view of the forest instead of the trees, but it is valuable indeed. Should you join every single mailing list in the world and read every single post? No. Should you only join the security-[platform]-[language] email list for the one thing you program? Also no. Somewhere between the extremes of "read everything you can" and working with blinders on is the "right" place where you read "stuff that I'm not working on, but informs me." It's not always an easy place to find. But I reject categorical statements like the one above that appear to say "if it ain't specific to my platform, it has no value to me." Paco -- Paco Hope, CISSP Senior Software Security Consultant Cigital, Inc. http://www.cigital.com/ [EMAIL PROTECTED] -- +1.703.585.7868 ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ----------------------------------------------------------------------------
Current thread:
- How do we improve s/w developer awareness? Kenneth R. van Wyk (Nov 11)
- Re: How do we improve s/w developer awareness? ljknews (Nov 11)
- Re: How do we improve s/w developer awareness? Paco Hope (Nov 11)
- Re: How do we improve s/w developer awareness? ljknews (Nov 12)
- Re: How do we improve s/w developer awareness? M Taylor (Nov 12)
- Re: How do we improve s/w developer awareness? ljknews (Nov 12)
- Re: How do we improve s/w developer awareness? Paco Hope (Nov 11)
- Re: How do we improve s/w developer awareness? ljknews (Nov 11)
- Re: How do we improve s/w developer awareness? Greenarrow 1 (Nov 29)
- <Possible follow-ups>
- Re: How do we improve s/w developer awareness? Yousef Syed (Nov 12)
- Re: How do we improve s/w developer awareness? Gunnar Peterson (Nov 12)
- Re: How do we improve s/w developer awareness? Jeff Williams (Nov 12)
- Re: How do we improve s/w developer awareness? Gunnar Peterson (Nov 12)
- Re: How do we improve s/w developer awareness? Gunnar Peterson (Nov 12)