Full Disclosure mailing list archives
Re: Coding securely, was Linux (in)security
From: coderman <coderman () charter net>
Date: Sun, 26 Oct 2003 18:56:53 -0800
Paul Schmehl wrote:
If the input is *known* or has already been validated, why would you need to check it? My point is, if you can't know what the input will be, you *must* check it. The problem is that many programmers don't think like hackers. They write code as if every user will input the correct data because, after all, they're trying to use it, not abuse it.That, of course, fails with the first person who types something incorrectly on the keyboard (intentionally or unintentionally) or when the input from some device is different than what the programmer thought it could ever be (for whatever reason.)
Secure programming requires additional skill and focus during design, development, testing and configuration. Ultimately the market decides winners in the software space, and everyone needs to see security as a feature worth paying more for, in terms of employees designing and building the systems, to QA testers performing thorough audits before deployment to users comparing choices in the corporate or consumer software space.
I think the software market (consumers and producers) are equaly responsible for the state of security - it costs more time and money and skill to build secure systems: are people paying more for the secure alternatives on the market? do people make a thorough effort to address security before purchase? Until the answer is yes, the current method will remain the market leader. Those that ignore security (to the extent they can) will come to market faster and cheaper than their more secure alternatives.
[ i'm also conviently ignoring monopoly considerations, etc ]Security is a hard problem, and somehow we need to make it coherent and valuable in the eyes of everyone involved. (I don't have the answer, and its certainly not just a software problem)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [inbox] Re: RE: Linux (in)security Glenn_Everhart (Oct 23)
- RE: [inbox] Re: RE: Linux (in)security Curt Purdy (Oct 24)
- Re: [inbox] Re: RE: Linux (in)security Bill Royds (Oct 26)
- Re: [inbox] Re: RE: Linux (in)security Gregory A. Gilliss (Oct 26)
- Re: [inbox] Re: RE: Linux (in)security Valdis . Kletnieks (Oct 26)
- Re: [inbox] Re: RE: Linux (in)security Paul Schmehl (Oct 26)
- Re: [inbox] Re: RE: Linux (in)security Brett Hutley (Oct 26)
- Re: [inbox] Re: RE: Linux (in)security Ted Unangst (Oct 26)
- Re: [inbox] Re: RE: Linux (in)security Brett Hutley (Oct 26)
- Coding securely, was Linux (in)security Paul Schmehl (Oct 26)
- Re: Coding securely, was Linux (in)security coderman (Oct 26)
- Re: Coding securely, was Linux (in)security Brett Hutley (Oct 26)
- Re: Coding securely, was Linux (in)security Valdis . Kletnieks (Oct 26)
- Re: Coding securely, was Linux (in)security Brett Hutley (Oct 26)
- Re: [inbox] Re: RE: Linux (in)security Gregory A. Gilliss (Oct 26)
- Re: [inbox] Re: RE: Linux (in)security Bill Royds (Oct 26)
- Re: [inbox] Re: RE: Linux (in)security Bruce Ediger (Oct 26)
- Re: [inbox] Re: RE: Linux (in)security Stormwalker (Oct 27)
- Re: [inbox] Re: RE: Linux (in)security Bill Royds (Oct 27)
- Re: [inbox] Re: RE: Linux (in)security Bruce Ediger (Oct 27)
- Message not available
- Coding securely, was Linux (in)security Paul Schmehl (Oct 26)
- RE: Coding securely, was Linux (in)security Chris Eagle (Oct 26)