RE: Is developer education a lost cause?

["Giri, Sandeep" <giris () deshaw com>]

I agree that focus needs to be on managers.
If we assume that manager wants a secure product and (s)he gives a generous
timeline, 
then developers' education comes into picture.
They are always taught how they can write secure code but they never study
how the code can be hacked and has been hacked in past.
I saw a few security classes in which they simply keep on telling the
philosophy of writing code.
I would suggest to the educators to follow the following strategy:
        1. Show a piece of code and ask for bugs existing in it
        2. Demonstrate the various ways of exploiting it
        3. Suggest a quick-fix
        4. Show the flaws with fix
        5. Go to 3), if fix is improper.
        6. Discuss the chapters learnt

I remember, I was asked to perform a code audits of various applications.
I knew it was impossible so I decided to give a small lecture to all
developers of those applications.
I followed the above strategy and afterwards the developers themselves found
the problems and fixes of those problems.
And there was little (or no) need of audits.

Hence, developer education is a must.

Regards,
Sandeep


-----Original Message-----
From: Jason Wilcox [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 23, 2004 5:00 AM
To: 'Kenneth R. van Wyk'; [EMAIL PROTECTED]
Subject: RE: [SC-L] Is developer education a lost cause?


Quite simply the problem will never be solved by simply targeting the
developers. Developers are very simple people, they do what they need to in
order to get the job done according to the requirements they are given and
the time constraints they have.

The focus needs to be on managers, project managers, customers, and
consumers it's that simple. Developers in general will be happy programming
securely if they weren't penalized for it. And by penalized I am talking
about the extended timelines that they will require vs the developers that
don't do it, or by those that recognize that if they do, they don't get the
job, raise, promotion, or whatever it would be. But in general we don't talk
about that side of it. 

Are developers a lost cause no they aren't. Is the developer the root of the
problem, or in a position to solve the problem? No they are not.

Jason P Wilcox
Director Security Services
SecureNet LTD

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Kenneth R. van Wyk
Sent: Thursday, January 22, 2004 3:55 PM
To: [EMAIL PROTECTED]
Subject: [SC-L] Is developer education a lost cause?

Hi all,

Over on the Full-Disclosure mailing list, there was a recent thread that 
questioned whether trying to educate the end consumer of PC products is a 
lost cause.  Malicious software has managed to dupe unsuspecting users into 
doing things that security professionals have frowned on for many years, 
despite untold numbers of news stories warning users about the problems.  
To many, it would appear that the computing masses are...
<diplomatic>knowledge resistant</diplomatic>.  :-)

Well, if things are really that bad for the end consumer, how does the 
situation bode for the average software developer?  That is, we've all seen 
untold numbers of news stories about buffer overflows and the like.  Why is 
it that we don't seem to be making much progress in stamping out these 
things?  (I should note that I am not including present company here on 
SC-L in this question, since we're presumably all here because we're 
concerned enough about secure application development that we want 
to discuss and learn with other like-minded folk.)

Is developer education a lost cause?  

I happen to think that it isn't, but that opinion isn't shared by everyone. 
Indeed, a few of the people that I talked with about participating here on 
SC-L were relucant because they were fed up with trying to educate the 
masses.  

If you agree that it isn't a lost cause, then what more {c|sh}ould be done?

That said, how do we measure or even know if things are improving?  By the 
number of vulnerability advisories per month?  (I hope not.)  

Cheers,

Ken van Wyk