Secure Coding mailing list archives

What's the next tech problem to be solved in software security?

From: livshits at cs.stanford.edu (Benjamin Livshits)
Date: Thu, 7 Jun 2007 18:44:51 -0700

I've recently been working on providing better secure programming
defaults. There's a great opportunity for doing so for applications
written on top of frameworks/libraries.

See our paper " Towards Security by Construction for Web 2.0
Applications" at a recent W2SP workshop.

-Ben

On 6/7/07, Steven M. Christey <coley at linus.mitre.org> wrote:


On Wed, 6 Jun 2007, Wietse Venema wrote:

more and more people, with less and less experience, will be
"programming" computer systems.

The challenge is to provide environments that allow less experienced
people to "program" computer systems without introducing gaping
holes or other unexpected behavior.


I completely agree with this.  This is a grand challenge for software
security, so maybe it's not the NEXT problem.  There's a lot of tentative
work in this area - safe strings in C, SafeInt,
StackGuard/FormatGuard/etc., non-executable data segments, security
patterns, and so on.  But these are "bolt-on" methods on top of the same
old languages or technologies, and some of these require developer
awareness.  I know there's been some work in "secure languages" but I'm
not up-to-date on it.

More modern languages advertise security but aren't necessarily
catch-alls.  I remember one developer telling me how his application used
Ruby on Rails, so he was confident he was secure, but it didn't stop his
app from having an obvious XSS in core functionality.

An example is the popular PHP language. Writing code is comparatively
easy, but writing secure code is comparatively hard. I'm working on
the second part, but I don't expect miracles.


PHP is an excellent example, because it's clearly lowered the bar for
programming and has many features that are outright dangerous, where it's
understandable how the careless/clueless programmer could have introduced
the issue.  Web programming in general, come to think of it.

- Steve
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________



-- 
Thanks,
-Ben

Current thread:

What's the next tech problem to be solved in software security? Kenneth Van Wyk (Jun 06)
- What's the next tech problem to be solved in software security? Michael Silk (Jun 06)
- What's the next tech problem to be solved in software security? Wietse Venema (Jun 06)
  - What's the next tech problem to be solved in softwaresecurity? Michael S Hines (Jun 06)
  - What's the next tech problem to be solved in software security? Steven M. Christey (Jun 07)
    - What's the next tech problem to be solved in software bugtraq at cgisecurity.net (Jun 07)
    - What's the next tech problem to be solved in software security? Benjamin Livshits (Jun 07)
    - What's the next tech problem to be solved in software security? Stephen de Vries (Jun 08)
    - What's the next tech problem to be solved in software security? ljknews (Jun 08)
    - What's the next tech problem to be solved in software security? der Mouse (Jun 09)
    - What's the next tech problem to be solved in software security? ljknews (Jun 09)
    - What's the next tech problem to be solved in software security? Leichter, Jerry (Jun 08)