Re: Yoran on the state of software security

["Kenneth R. van Wyk" <Ken () KRvW com>]

Greetings all,

I was asked to clarify what I posted yesterday re Amit Yoran's recent public 
statements on the topic of software security.

On Tuesday 20 April 2004 03:27, an SC-L reader wrote:
> Ken, could you clarify a little please?

Happy to, see below.

> I detect a slighly snide tone that suggests that you disagree with the
> assertion that "it is inexplicable to produce software that suffers from
> buffer overruns".  Is that really your position?  If so, why?

Heavens no!  Sorry for the ambiguity.  Indeed, the issue of buffer overruns is 
probably the principal one that convinced me to co-author Secure Coding with 
Mark Graff.  I'd like to see them become the polio of the tech world.

What I was trying to make light about in my note is whether Yoran got that 
notion from my statement in my TechTV interview -- that we have to focus more 
of our attention at improving software security.  That was where the "me 
neither..." came from, because I have no delusions that he would have caught 
my segment on the show -- or that it would have influenced him in any way 
even if he had.

> Of course there are lots of other security issues (not least "social
> engineering" ones) but in what way is security /harmed/ by disciplined
> programming in appropriate languages supported by appropriate tools?  Our
> experience is that such rigorous software engineering approaches result in
> more robust and secure product and a significant cost saving over less
> rigorous approaches.

Yes, I fully concur.  I found it encouraging that Yoran is raising software 
security as a major issue also.  I do wish that he'd used other examples than 
only buffer overruns, but it's a good step in the right direction.  I'm 
particularly big on improving the design phase, long before any line of code
(overrun or not) has been written.

Does that help clarify my point?

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com