Secure Coding mailing list archives

Re: Missing the point?

From: "Paco Hope" <bhope () cigital com>
Date: Tue, 20 Apr 2004 21:54:03 +0100

On 4/20/04 12:34 PM, "Michael A. Davis" <[EMAIL PROTECTED]> wrote:

Isn't she missing the point? It is not the source code that is the
problem -- it is the developer.


You can bake bread with flour, water, salt, yeast, and an old wood oven.
You can also buy a bread machine and a kit with pre-mixed ingredients.  You
can also go to the store and just buy a loaf of bread. There is a parallel
here for software.

While you are exactly right that developers write bad code, we shouldn't
leave the developers out in the cold and just say "You are the problem.
Learn to write better code."  If there are code auditing and testing tools
that can catch problems early, we should welcome them wholeheartedly.  We
should never delude ourselves that the tools will allow developers to be
dumb. Nor will blind tools replace developer training and education.

We allow developers to have debuggers, right?  Why not let them have code
tools that scan for stupid errors like buffer overflows in their code? It's
just another tool in the toolbox.  Great developers, like great artists,
still must be fluent with their tools.

Right now, most developers use the raw ingredients and an old wood oven to
bake their bread.  Debates rage over what kind of flour or salt to use.  If
we can put a bread machine on their desk, give them better ingredients, and
show them how to use it, why not?  We are not yet to the point in software
security where we can go to the store and buy a loaf of bread and expect it
to be secure.  Maybe if we try we can at least get to the breadmachine
level. Fewer variables to screw up. We can give the bakers better tools, and
we should.

Paco
-- 
Paco Hope, CISSP
Senior Software Security Consultant
Cigital, Inc. http://www.cigital.com/
[EMAIL PROTECTED] -- +1.703.404.5769



----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------

Current thread:

Yoran on the state of software security Kenneth R. van Wyk (Apr 19)
- <Possible follow-ups>
- Re: Yoran on the state of software security Kenneth R. van Wyk (Apr 20)
  - Missing the point? Michael A. Davis (Apr 20)
    - Re: Missing the point? Dave Aronson (Apr 20)
    - Re: Missing the point? Mads Rasmussen (Apr 20)
    - RE: Missing the point? Alun Jones (Apr 20)
    - Re: Missing the point? Jared W. Robinson (Apr 21)
    - Re: Missing the point? Paco Hope (Apr 20)
    - Re: Missing the point? Nash (Apr 20)
    - RE: Missing the point? Michael A. Davis (Apr 21)
    - Re: Missing the point? Pascal Meunier (Apr 20)
    - Re: Missing the point? Pascal Meunier (Apr 20)
    - RE: Missing the point? Michael S Hines (Apr 23)
    - Re: Missing the point? Crispin Cowan (Apr 26)
  - Re: Yoran on the state of software security Greenarrow 1 (Apr 22)
- Re: Yoran on the state of software security Nick FitzGerald (Apr 22)
  - Re: Yoran on the state of software security Greenarrow 1 (Apr 26)