RE: Secure Coding? Bah!

["Dinis Cruz" <dinis () ddplus net>]

I totally agree with Glenn on this, the root of 'insecure software' lies
in the current culture that promotes 'insecure software development'.

What is interesting about this debate is that almost everybody is right
in their individual comments (Programmers need to write secure code, but
they don't know how to do it and in some cases trying to teach them is a
waste of time and money).

In my humble opinion the problem is with:
        a) The development environment (which currently is primarily
designed for 'Rapid Code Development' and not for 'Secure Code
Development')

        b) The lack of an 'Application Security Measurement' Standard
which would allow the comparison of the level of security from Product A
to Product B

        c) The lack of a 'Secured inside' brand which would allow the
clients to clearly identify who is producing secure Applications

        d) The lack of client pressure for secure applications where
they say to the market "Security is Deal-Breaker and we will only buy
Secure Applications". Of course that this is impossible to do without an
Application Security Standard and an Application Security Brand 

        e) The lack of Application Vulnerability Assessment tools which
allow the automatic and regular test of an Application's Security during
the: Evaluation, Pilot, Implementation and Maintenance/Support phases

I have written an article about this which you might find interesting:
"Microsoft must deliver 'secure environments' not tools to write 'secure
code'" (see http://www.developersdex.com/gurus/articles/724.asp)

I have also created an Asp.Net Security Analyzer (published at Owasp:
http://www.owasp.net/dotnet) which is an example of the kind of tools
that are needed for the creation of these 'secure environments'.

Thanks to everybody for such an interesting discussion thread.

Best regards

Dinis Cruz
.Net Security Consultant
DDPlus (www.ddplus.net)


-----Original Message-----
From: Glenn_Everhart () bankone com [mailto:Glenn_Everhart () bankone com] 
Sent: 23 January 2004 13:49
To: webappsec () securityfocus com
Subject: RE: Secure Coding? Bah!

The article's point seems to be yet another rant that wants to convince
us
that nobody can do any better than Microsoft has done, so get used to
perpetual hourly patches.

You get security out of software development by having a culture that
demands it among the developers. Such cultures do exist, even in the
commercial OS market, producing OSs with good resistance to attack.
Not perfect, but needing a handful or less patches per year...

Ranting that education is useless, that "everyone" demands features
first last and only, that nothing can be done better than continual
patches, is not innocent. It contributes to the problem because it fails
to reward those who HAVE a culture of security, rewards those who have
not, and reduces incentive to force improvement. (If you convince enough
judges that nobody can do better, what will happen when someone wants to
enforce warranties of merchantability on software sales, and hold
sellers to account?)

The author claims to dislike insecure code. He is powerfully encouraging
its development.



-----Original Message-----
From: David Wall @ Yozons, Inc. [mailto:dwall () yozons com]
Sent: Thursday, January 22, 2004 11:08 PM
To: webappsec () securityfocus com
Subject: Re: Secure Coding? Bah!


> Does anyone know of any information about this authors credentials to
make
> these claims ?
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss306_art550,00.
html

Not to be flippant, but what credentials would be needed?  He claims to
have
a CISSP certification, though.  Overall, the claim seems rather silly
and
pointless, as if driving safer "is not going to happen" so there's no
need
to teach it.

Personally, I work in industry, but while I'm not an "industry leader,"
I
know that there are many businesses that take security seriously when it
comes to creating software.  I'll grant that we could have better tools
to
assess our progress, but one way we make more money is by providing a
secure
solution to our customers.  That's our business, though.  I've found
similar
concerns when dealing with IT in telecom, health, banking and brokerage
firms.  One solution they use is outsourcing or purchasing software that
already has a focus on security.

As for academia, I don't think "matriculating Ph.D.s" is required since
DePaul University and California State University both offer
security-related courses.

In the end, security is a trade off game.  Nothing has to be 100%
secure,
just secure enough to do business.  Maybe Mr. Briney is a purist, so he
find
no benefit in getting better at security without having total security.
Starbucks doesn't put metal detectors and armed guards in its stores,
not
because they don't care about security, but because the costs are higher
than the benefits, including alienating their customers.  I think the
same
is true for software.  Good software is designed with security in mind
from
the get go, and many companies realize that good security makes for a
better
product.  After all, nobody wants their product to be victimized in the
public's eye!

David
---------------------------------------------
David A. E. Wall
Chief Software Architect
Yozons, Inc.
Kirkland, Washington USA
Tel 425.822.4465    david.wall () yozons com
Fax 425.827.9415    www.yozons.com
Cell 425.985.6519

Yozons Signed & Secured - A secure document delivery, electronic
signature,
spam-free, virus-free business private network
    - Used and proven by many in the Fortune 500
    - Low cost, hosted solutions for smaller businesses



**********************************************************************
This transmission may contain information that is privileged,
confidential and/or exempt from disclosure under applicable law. If you
are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained
herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
received this transmission in error, please immediately contact the
sender and destroy the material in its entirety, whether in electronic
or hard copy format. Thank you
**********************************************************************



---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.563 / Virus Database: 355 - Release Date: 17/01/2004
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.563 / Virus Database: 355 - Release Date: 17/01/2004