Secure Coding mailing list archives
What's the next tech problem to be solved in software security?
From: livshits at cs.stanford.edu (Benjamin Livshits)
Date: Thu, 7 Jun 2007 18:44:51 -0700
I've recently been working on providing better secure programming defaults. There's a great opportunity for doing so for applications written on top of frameworks/libraries. See our paper " Towards Security by Construction for Web 2.0 Applications" at a recent W2SP workshop. -Ben On 6/7/07, Steven M. Christey <coley at linus.mitre.org> wrote:
On Wed, 6 Jun 2007, Wietse Venema wrote:more and more people, with less and less experience, will be "programming" computer systems. The challenge is to provide environments that allow less experienced people to "program" computer systems without introducing gaping holes or other unexpected behavior.I completely agree with this. This is a grand challenge for software security, so maybe it's not the NEXT problem. There's a lot of tentative work in this area - safe strings in C, SafeInt, StackGuard/FormatGuard/etc., non-executable data segments, security patterns, and so on. But these are "bolt-on" methods on top of the same old languages or technologies, and some of these require developer awareness. I know there's been some work in "secure languages" but I'm not up-to-date on it. More modern languages advertise security but aren't necessarily catch-alls. I remember one developer telling me how his application used Ruby on Rails, so he was confident he was secure, but it didn't stop his app from having an obvious XSS in core functionality.An example is the popular PHP language. Writing code is comparatively easy, but writing secure code is comparatively hard. I'm working on the second part, but I don't expect miracles.PHP is an excellent example, because it's clearly lowered the bar for programming and has many features that are outright dangerous, where it's understandable how the careless/clueless programmer could have introduced the issue. Web programming in general, come to think of it. - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
-- Thanks, -Ben
Current thread:
- What's the next tech problem to be solved in software security? Kenneth Van Wyk (Jun 06)
- What's the next tech problem to be solved in software security? Michael Silk (Jun 06)
- What's the next tech problem to be solved in software security? Wietse Venema (Jun 06)
- What's the next tech problem to be solved in softwaresecurity? Michael S Hines (Jun 06)
- What's the next tech problem to be solved in software security? Steven M. Christey (Jun 07)
- What's the next tech problem to be solved in software bugtraq at cgisecurity.net (Jun 07)
- What's the next tech problem to be solved in software security? Benjamin Livshits (Jun 07)
- What's the next tech problem to be solved in software security? Stephen de Vries (Jun 08)
- What's the next tech problem to be solved in software security? ljknews (Jun 08)
- What's the next tech problem to be solved in software security? der Mouse (Jun 09)
- What's the next tech problem to be solved in software security? ljknews (Jun 09)
- What's the next tech problem to be solved in software security? Leichter, Jerry (Jun 08)