Secure Coding mailing list archives
Re: Yoran on the state of software security
From: "Greenarrow 1" <Greenarrow1 () msn com>
Date: Thu, 22 Apr 2004 14:40:09 +0100
I feel government should not become involved with the internet and/or its security. For one if people look at the governments security most departments have a grade of C or below. Would you want someone like that telling you how to secure programming? Regards, George Greenarrow1 InNetInvestigations-Forensics ----- Original Message ----- From: "Kenneth R. van Wyk" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 20, 2004 8:07 AM Subject: Re: [SC-L] Yoran on the state of software security
Greetings all, I was asked to clarify what I posted yesterday re Amit Yoran's recent public statements on the topic of software security. On Tuesday 20 April 2004 03:27, an SC-L reader wrote:Ken, could you clarify a little please?Happy to, see below.I detect a slighly snide tone that suggests that you disagree with the assertion that "it is inexplicable to produce software that suffers from buffer overruns". Is that really your position? If so, why?Heavens no! Sorry for the ambiguity. Indeed, the issue of buffer overruns is probably the principal one that convinced me to co-author Secure Coding with Mark Graff. I'd like to see them become the polio of the tech world. What I was trying to make light about in my note is whether Yoran got that notion from my statement in my TechTV interview -- that we have to focus more of our attention at improving software security. That was where the "me neither..." came from, because I have no delusions that he would have caught my segment on the show -- or that it would have influenced him in any way even if he had.Of course there are lots of other security issues (not least "social engineering" ones) but in what way is security /harmed/ by disciplined programming in appropriate languages supported by appropriate tools? Our experience is that such rigorous software engineering approaches result in more robust and secure product and a significant cost saving over less rigorous approaches.Yes, I fully concur. I found it encouraging that Yoran is raising software security as a major issue also. I do wish that he'd used other examples than only buffer overruns, but it's a good step in the right direction. I'm particularly big on improving the design phase, long before any line of code (overrun or not) has been written. Does that help clarify my point? Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
Current thread:
- Re: Missing the point?, (continued)
- Re: Missing the point? Mads Rasmussen (Apr 20)
- RE: Missing the point? Alun Jones (Apr 20)
- Re: Missing the point? Jared W. Robinson (Apr 21)
- Re: Missing the point? Paco Hope (Apr 20)
- Re: Missing the point? Nash (Apr 20)
- RE: Missing the point? Michael A. Davis (Apr 21)
- Re: Missing the point? Pascal Meunier (Apr 20)
- Re: Missing the point? Pascal Meunier (Apr 20)
- RE: Missing the point? Michael S Hines (Apr 23)
- Re: Missing the point? Crispin Cowan (Apr 26)
- Re: Yoran on the state of software security Greenarrow 1 (Apr 22)
- Re: Yoran on the state of software security Greenarrow 1 (Apr 26)