Secure Coding mailing list archives
Re: Is developer education a lost cause?
From: Pascal Meunier <pmeunier () cerias purdue edu>
Date: Fri, 23 Jan 2004 14:30:54 +0000
You can't make good cooking by concentrating on the quality of only one ingredient at a time and say: "I'm not getting a great cake by getting better eggs, so I should not put efforts into getting and using good eggs" (repeat with flour, sugar, butter, leavening, and then despair that you'll never get a great cake :-). I have seen code quality improve with little or no additional programming time simply by making a student aware of those repeated mistakes and trust issues. Did they make perfect code immediately afterwards? No. But it improved. I believe that code quality would improve even more with management support, better programming languages and automated checkers, and development practices that support code reviews, and consumers that demand secure products and are willing to "pay" (in one way or another) for them. None of these can be isolated completely from the others. There's no magic recipe or lost cause! Perhaps now Democrats will be quite motivated in funding computer security initiatives and research, which could help :-). I wonder if the responsible people will be brought to court. I hope that the result won't be more stupid legislation. Cheers, Pascal Pascal Meunier, Ph.D., M.Sc., CISSP Assistant Research Scientist Purdue University CERIAS On 1/22/04 4:55 PM, "Kenneth R. van Wyk" <[EMAIL PROTECTED]> wrote:
Hi all, Over on the Full-Disclosure mailing list, there was a recent thread that questioned whether trying to educate the end consumer of PC products is a lost cause. Malicious software has managed to dupe unsuspecting users into doing things that security professionals have frowned on for many years, despite untold numbers of news stories warning users about the problems. To many, it would appear that the computing masses are... <diplomatic>knowledge resistant</diplomatic>. :-) Well, if things are really that bad for the end consumer, how does the situation bode for the average software developer? That is, we've all seen untold numbers of news stories about buffer overflows and the like. Why is it that we don't seem to be making much progress in stamping out these things? (I should note that I am not including present company here on SC-L in this question, since we're presumably all here because we're concerned enough about secure application development that we want to discuss and learn with other like-minded folk.) Is developer education a lost cause? I happen to think that it isn't, but that opinion isn't shared by everyone. Indeed, a few of the people that I talked with about participating here on SC-L were relucant because they were fed up with trying to educate the masses. If you agree that it isn't a lost cause, then what more {c|sh}ould be done? That said, how do we measure or even know if things are improving? By the number of vulnerability advisories per month? (I hope not.) Cheers, Ken van Wyk
Current thread:
- Is developer education a lost cause? Kenneth R. van Wyk (Jan 22)
- RE: Is developer education a lost cause? Jason Wilcox (Jan 22)
- Re: Is developer education a lost cause? Joe Teff (Jan 22)
- RE: Is developer education a lost cause? Michael S Hines (Jan 23)
- Re: Is developer education a lost cause? Pascal Meunier (Jan 23)
- Re: Is developer education a lost cause? Chris Wysopal (Jan 23)
- Re: Is developer education a lost cause? George Capehart (Jan 23)
- <Possible follow-ups>
- RE: Is developer education a lost cause? Robert Shields (Jan 23)
- Re: Is developer education a lost cause? Richard Moore (Jan 23)
- RE: Is developer education a lost cause? Giri, Sandeep (Jan 23)
- RE: Is developer education a lost cause? Robert Shields (Jan 23)
- Re: Is developer education a lost cause? Gary McGraw (Jan 23)
- RE: Is developer education a lost cause? Jeremy Epstein (Jan 30)
- Re: Is developer education a lost cause? der Mouse (Jan 31)
- RE: Is developer education a lost cause? Jeremy Epstein (Feb 02)
(Thread continues...)