Secure Coding mailing list archives
Fw: Secured Coding
From: "Greenarrow 1" <Greenarrow1 () msn com>
Date: Mon, 15 Nov 2004 03:32:52 +0000
Sorry all I forgot to place the Sc-L addy when replying. Regards, George Greenarrow1 InNetInvestigations-Forensics ----- Original Message ----- From: "Greenarrow 1" <[EMAIL PROTECTED]> To: "Dana Epp" <[EMAIL PROTECTED]> Sent: Saturday, November 13, 2004 6:53 PM Subject: Re: [SC-L] Secured Coding
Hi Dana, This is exactly what firewalls and anti virus programs do as they need to keep one foot ahead of the attacker. If attacked, they must immediately create a defense against the attack, but this is where I see a fault in a lot of programming. My thinking is who is really at fault the developer, IT security reviewer or both? I have monitored 2 specific companies that are in the security fields. When they create new programs one does fairly well while the other still stay with the programming of the past soft wares, just upgrading enough to fool the user. In my business I have programs that can look at every piece of coding built within. It surprises me at the total lack of revamping security in their upgrading of programs or producing new ones. What I am getting at if other companies do as this, one does not wonder secured coding is dismal. The one item I noticed that there is a high amount of greed within certain companies. Get the product out no matter what and if enough buyers complain then we might patch it. Naturally speed is essential in combating a attacker but why does one company use speed and creativity to its advantage while another one is so sloppy the patch is actually more damaging then the attack. How do we stop this? I am totally against suing companies that produce bad coding that results in damage to users systems because I feel no law can be written without creating a huge mitigation of cases no matter how minor. Companies are afraid to share info because of infringements or copy write problems. This can be seen all over the internet. As in the case one reader responded that I do not have time to peruse any security newsletters. Well, duh, are they that valuable or superior to any other developer that 5, 10, or 15 minutes is going to destroy their day. I only subscribe to 5 security newsletters and when there is nothing that pertains or relates to anything I do I just delete it. But I have found some valuable info from posts while not in the language I use but still has affects upon what I do. I am not in to heavy programming but I do create soft wares and scripts needed in computer forensics. I also use Encase which in some cases I or my co-workers must create script to find what we are searching for. One item is all our programs must be highly secured as we cannot leave any evidence that we were searching ones computer for criminal prosecution. My guidelines are that all programs created must be tested and then reviewed, then back to the developer for corrections, then retested, reviewed again then back to the developer. The final version than is again tested by our CSO, which is forwarded to me and if it meets all security guidelines it is then used by all workers. Yes this takes time but it saves lots of work and cuts cost of having to revamp the program if it is flawed. When a company has to patch or upgrade because of secured coding it costs more then if they would have taken the time to secure it correctly in the first place. Companies do not see this as the objective is get the new product out. If they would review the costs of patching then issuing the patch to everyone plus the man hours they would see this waste of monies. I know I am raving on so will close with I Wish You a Very Happy Thanksgiving. I am happy to see subscribers again communicating on Sc-L as it was laying dead in the water for a while. Just maybe if we all put our heads together we might have a solution to secured coding. Regards, George Greenarrow1 InNetInvestigations-Forensics
Current thread:
- Secured Coding Greenarrow 1 (Nov 13)
- Re: Secured Coding Gunnar Peterson (Nov 13)
- Re: Secured Coding Dana Epp (Nov 13)
- RE: Secured Coding David Crocker (Nov 14)
- Re: Secured Coding Gadi Evron (Nov 17)
- <Possible follow-ups>
- Fw: Secured Coding Greenarrow 1 (Nov 14)
- Re: Secured Coding Peter G. Neumann (Nov 15)
- RE: Secured Coding Yousef Syed (Nov 15)