Re: ACM Queue article and security education

["Kenneth R. van Wyk" <Ken () KRvW com>]

James Walden wrote:

I'd like to open a discussion based on this quote from Marcus Ranum's 
ACM Queue article entitled "Security: The root of the problem":


Thanks.  I also read Marcus's article with interest.  Caveat: clearly, I 
have a biased outlook, since software security training is one of the 
things that I do for a living.


Overall, I like and agree with much of what Marcus said in the article.  
I don't, however, believe that we can count on completely putting 
security "below the radar" for developers.  Having strong languages, 
compilers, and run-time environments that actively look out for and 
prevent common problems like buffer overruns are worthy goals, to be 
sure, but counting solely on them presumes that there are no security 
problems at the design, integration, or operations stages of the 
lifecycle.  Even if the run-time environment that Marcus advocates is 
_perfect_ in its protection, these other issues are still problematic 
and require the developers and operations staff to understand the problems.