Secure Coding mailing list archives
re-writing college books - erm.. ahm...
From: crispin at novell.com (Crispin Cowan)
Date: Sat, 28 Oct 2006 13:37:01 -0700
Robert C. Seacord wrote:
Seeking perfect correctness as an approach to security is a fool's errand. Security is designing systems that can tolerate imperfect software.I could go along with "achieving perfect correctness as an approach to security is a fool's belief" but I believe the desire to achieve correctness is a prerequisite for security. More specifically, I have found that systematic schemes for providing software security (such as memory protection, canaries, etc.) are generally ineffective once a coding error (such as a buffer overflow) allows an attacker to penetrate the peripheral defense of code correctness. Given the current state of software security, I don't think any security "best" practice can abandoned and that defense-in-depth is a practical necessity.
I don't think we disagree. When I said that seeking correctness is a fool's errand, I meant (more precisely) that *depending on achieving* correctness is a fool's errand. You must always assume the presence of imperfect software, and then design in defense in depth to tolerate that. Using other software engineering techniques (secure coding, the occasional topic of this mailing list :) certainly helps, but cannot be the whole approach to security.
Also, back on the book topic, I recently heard of an older but successful book that did nothing but take examples from other books and show in detail how they were incorrect. Perhaps such a "supplemental" text could be developed for commonly used text books.
I like it! Bugtraq for books :) My engineers are quite fond of The *Daily WTF* <http://thedailywtf.com/> a web site that lampoons bad code. Crispin
Current thread:
- re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet], (continued)
- Message not available
- re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] Gergely Buday (Oct 18)
- re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] Crispin Cowan (Oct 24)
- re-writing college books - erm.. ahm... Gadi Evron (Oct 27)
- re-writing college books - erm.. ahm... Crispin Cowan (Oct 28)
- re-writing college books - erm.. ahm... Gadi Evron (Oct 28)
- re-writing college books - erm.. ahm... Crispin Cowan (Oct 28)
- re-writing college books - erm.. ahm... Gadi Evron (Oct 29)
- re-writing college books - erm.. ahm... Robert C. Seacord (Oct 29)
- re-writing college books - erm.. ahm... Gadi Evron (Oct 29)
- re-writing college books - erm.. ahm... Robert C. Seacord (Oct 28)
- re-writing college books - erm.. ahm... Crispin Cowan (Oct 28)
- re-writing college books - erm.. ahm... Leichter, Jerry (Nov 05)
- re-writing college books - erm.. ahm... Gadi Evron (Nov 05)
- re-writing college books - erm.. ahm... Wall, Kevin (Nov 06)
- re-writing college books - erm.. ahm... pete werner (Nov 06)
- re-writing college books - erm.. ahm... Paul Powenski (Nov 06)
- re-writing college books - erm.. ahm... Leichter, Jerry (Nov 06)
- re-writing college books - erm.. ahm... Gunnar Peterson (Oct 30)
- re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] David Crocker (Oct 28)
- re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] Crispin Cowan (Nov 02)
- re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] David Crocker (Nov 04)