Secure Coding mailing list archives

Re: Yoran on the state of software security

From: "Greenarrow 1" <Greenarrow1 () msn com>
Date: Thu, 22 Apr 2004 14:40:09 +0100

I feel government should not become involved with the internet and/or its 
security.  For one if people look at the governments security most 
departments have a grade of C or below.  Would you want someone like that 
telling you how to secure programming?

Regards,
George
Greenarrow1
InNetInvestigations-Forensics


----- Original Message ----- 
From: "Kenneth R. van Wyk" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 20, 2004 8:07 AM
Subject: Re: [SC-L] Yoran on the state of software security

Greetings all,

I was asked to clarify what I posted yesterday re Amit Yoran's recent 
public
statements on the topic of software security.

On Tuesday 20 April 2004 03:27, an SC-L reader wrote:

Ken, could you clarify a little please?


Happy to, see below.

I detect a slighly snide tone that suggests that you disagree with the
assertion that "it is inexplicable to produce software that suffers from
buffer overruns".  Is that really your position?  If so, why?


Heavens no!  Sorry for the ambiguity.  Indeed, the issue of buffer 
overruns is
probably the principal one that convinced me to co-author Secure Coding 
with
Mark Graff.  I'd like to see them become the polio of the tech world.

What I was trying to make light about in my note is whether Yoran got that
notion from my statement in my TechTV interview -- that we have to focus 
more
of our attention at improving software security.  That was where the "me
neither..." came from, because I have no delusions that he would have 
caught
my segment on the show -- or that it would have influenced him in any way
even if he had.

Of course there are lots of other security issues (not least "social
engineering" ones) but in what way is security /harmed/ by disciplined
programming in appropriate languages supported by appropriate tools? 
Our
experience is that such rigorous software engineering approaches result 
in
more robust and secure product and a significant cost saving over less
rigorous approaches.


Yes, I fully concur.  I found it encouraging that Yoran is raising 
software
security as a major issue also.  I do wish that he'd used other examples 
than
only buffer overruns, but it's a good step in the right direction.  I'm
particularly big on improving the design phase, long before any line of 
code
(overrun or not) has been written.

Does that help clarify my point?

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com

Current thread:

Re: Missing the point?, (continued)
- - - Re: Missing the point? Mads Rasmussen (Apr 20)
    - RE: Missing the point? Alun Jones (Apr 20)
    - Re: Missing the point? Jared W. Robinson (Apr 21)
    - Re: Missing the point? Paco Hope (Apr 20)
    - Re: Missing the point? Nash (Apr 20)
    - RE: Missing the point? Michael A. Davis (Apr 21)
    - Re: Missing the point? Pascal Meunier (Apr 20)
    - Re: Missing the point? Pascal Meunier (Apr 20)
    - RE: Missing the point? Michael S Hines (Apr 23)
    - Re: Missing the point? Crispin Cowan (Apr 26)
  - Re: Yoran on the state of software security Greenarrow 1 (Apr 22)
- Re: Yoran on the state of software security Nick FitzGerald (Apr 22)
  - Re: Yoran on the state of software security Greenarrow 1 (Apr 26)