Secure Coding mailing list archives
Re: Yoran on the state of software security
From: "Kenneth R. van Wyk" <Ken () KRvW com>
Date: Tue, 20 Apr 2004 18:49:45 +0100
Greetings all, I was asked to clarify what I posted yesterday re Amit Yoran's recent public statements on the topic of software security. On Tuesday 20 April 2004 03:27, an SC-L reader wrote:
Ken, could you clarify a little please?
Happy to, see below.
I detect a slighly snide tone that suggests that you disagree with the assertion that "it is inexplicable to produce software that suffers from buffer overruns". Is that really your position? If so, why?
Heavens no! Sorry for the ambiguity. Indeed, the issue of buffer overruns is probably the principal one that convinced me to co-author Secure Coding with Mark Graff. I'd like to see them become the polio of the tech world. What I was trying to make light about in my note is whether Yoran got that notion from my statement in my TechTV interview -- that we have to focus more of our attention at improving software security. That was where the "me neither..." came from, because I have no delusions that he would have caught my segment on the show -- or that it would have influenced him in any way even if he had.
Of course there are lots of other security issues (not least "social engineering" ones) but in what way is security /harmed/ by disciplined programming in appropriate languages supported by appropriate tools? Our experience is that such rigorous software engineering approaches result in more robust and secure product and a significant cost saving over less rigorous approaches.
Yes, I fully concur. I found it encouraging that Yoran is raising software security as a major issue also. I do wish that he'd used other examples than only buffer overruns, but it's a good step in the right direction. I'm particularly big on improving the design phase, long before any line of code (overrun or not) has been written. Does that help clarify my point? Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
Current thread:
- Yoran on the state of software security Kenneth R. van Wyk (Apr 19)
- <Possible follow-ups>
- Re: Yoran on the state of software security Kenneth R. van Wyk (Apr 20)
- Missing the point? Michael A. Davis (Apr 20)
- Re: Missing the point? Dave Aronson (Apr 20)
- Re: Missing the point? Mads Rasmussen (Apr 20)
- RE: Missing the point? Alun Jones (Apr 20)
- Re: Missing the point? Jared W. Robinson (Apr 21)
- Re: Missing the point? Paco Hope (Apr 20)
- Re: Missing the point? Nash (Apr 20)
- RE: Missing the point? Michael A. Davis (Apr 21)
- Missing the point? Michael A. Davis (Apr 20)
- Re: Missing the point? Pascal Meunier (Apr 20)
- Re: Missing the point? Pascal Meunier (Apr 20)