Secure Coding mailing list archives
Re: Missing the point?
From: "Paco Hope" <bhope () cigital com>
Date: Tue, 20 Apr 2004 21:54:03 +0100
On 4/20/04 12:34 PM, "Michael A. Davis" <[EMAIL PROTECTED]> wrote:
Isn't she missing the point? It is not the source code that is the problem -- it is the developer.
You can bake bread with flour, water, salt, yeast, and an old wood oven. You can also buy a bread machine and a kit with pre-mixed ingredients. You can also go to the store and just buy a loaf of bread. There is a parallel here for software. While you are exactly right that developers write bad code, we shouldn't leave the developers out in the cold and just say "You are the problem. Learn to write better code." If there are code auditing and testing tools that can catch problems early, we should welcome them wholeheartedly. We should never delude ourselves that the tools will allow developers to be dumb. Nor will blind tools replace developer training and education. We allow developers to have debuggers, right? Why not let them have code tools that scan for stupid errors like buffer overflows in their code? It's just another tool in the toolbox. Great developers, like great artists, still must be fluent with their tools. Right now, most developers use the raw ingredients and an old wood oven to bake their bread. Debates rage over what kind of flour or salt to use. If we can put a bread machine on their desk, give them better ingredients, and show them how to use it, why not? We are not yet to the point in software security where we can go to the store and buy a loaf of bread and expect it to be secure. Maybe if we try we can at least get to the breadmachine level. Fewer variables to screw up. We can give the bakers better tools, and we should. Paco -- Paco Hope, CISSP Senior Software Security Consultant Cigital, Inc. http://www.cigital.com/ [EMAIL PROTECTED] -- +1.703.404.5769 ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ----------------------------------------------------------------------------
Current thread:
- Yoran on the state of software security Kenneth R. van Wyk (Apr 19)
- <Possible follow-ups>
- Re: Yoran on the state of software security Kenneth R. van Wyk (Apr 20)
- Missing the point? Michael A. Davis (Apr 20)
- Re: Missing the point? Dave Aronson (Apr 20)
- Re: Missing the point? Mads Rasmussen (Apr 20)
- RE: Missing the point? Alun Jones (Apr 20)
- Re: Missing the point? Jared W. Robinson (Apr 21)
- Re: Missing the point? Paco Hope (Apr 20)
- Re: Missing the point? Nash (Apr 20)
- RE: Missing the point? Michael A. Davis (Apr 21)
- Missing the point? Michael A. Davis (Apr 20)
- Re: Missing the point? Pascal Meunier (Apr 20)
- Re: Missing the point? Pascal Meunier (Apr 20)
- RE: Missing the point? Michael S Hines (Apr 23)
- Re: Missing the point? Crispin Cowan (Apr 26)
- Re: Yoran on the state of software security Greenarrow 1 (Apr 22)
- Re: Yoran on the state of software security Greenarrow 1 (Apr 26)