Fw: Secured Coding

["Greenarrow 1" <Greenarrow1 () msn com>]

Sorry all I forgot to place the Sc-L addy when replying.

Regards,
George
Greenarrow1
InNetInvestigations-Forensics


----- Original Message ----- 
From: "Greenarrow 1" <[EMAIL PROTECTED]>
To: "Dana Epp" <[EMAIL PROTECTED]>
Sent: Saturday, November 13, 2004 6:53 PM
Subject: Re: [SC-L] Secured Coding


> Hi Dana,
>
> This is exactly what firewalls and anti virus programs do as they need to 
> keep one foot ahead of the attacker.  If attacked, they must immediately 
> create a defense against the attack, but this is where I see a fault in a 
> lot of programming.  My thinking is who is really at fault the developer, 
> IT security reviewer or both?  I have monitored 2 specific companies that 
> are in the security fields.  When they create new programs one does fairly 
> well while the other still stay with the programming of the past soft 
> wares, just upgrading enough to fool the user.  In my business I have 
> programs that can look at every piece of coding built within.  It 
> surprises me at the total lack of revamping security in their upgrading of 
> programs or producing new ones.
>
> What I am getting at if other companies do as this, one does not wonder 
> secured coding is dismal.  The one item I noticed that there is a high 
> amount of greed within certain companies.  Get the product out no matter 
> what and if enough buyers complain then we might patch it.  Naturally 
> speed is essential in combating a attacker but why does one company use 
> speed and creativity to its advantage while another one is so sloppy the 
> patch is actually more damaging then the attack.  How do we stop this?  I 
> am totally against suing companies that produce bad coding that results in 
> damage to users systems because I feel no law can be written without 
> creating a huge mitigation of cases no matter how minor.  Companies are 
> afraid to share info because of infringements or copy write problems. 
> This can be seen all over the internet.  As in the case one reader 
> responded that I do not have time to peruse any security newsletters. 
> Well, duh, are they that valuable or superior to any other developer that 
> 5, 10, or 15 minutes is going to destroy their day.  I only subscribe to 5 
> security newsletters and when there is nothing that pertains or relates to 
> anything I do I just delete it. But I have found some valuable info from 
> posts while not in the language I use but still has affects upon what I 
> do.
>
> I am not in to heavy programming but I do create soft wares and scripts 
> needed in computer forensics.  I also use Encase which in some cases I or 
> my co-workers must create script to find what we are searching for.  One 
> item is all our programs must be highly secured as we cannot leave any 
> evidence that we were searching ones computer for criminal prosecution. 
> My guidelines are that all programs created must be tested and then 
> reviewed, then back to the developer for corrections, then retested, 
> reviewed again then back to the developer.  The final version than is 
> again tested by our CSO, which is forwarded to me and if it meets all 
> security guidelines it is then used by all workers.  Yes this takes time 
> but it saves lots of work and cuts cost of having to revamp the program if 
> it is flawed.  When a company has to patch or upgrade because of secured 
> coding it costs more then if they would have taken the time to secure it 
> correctly in the first place. Companies do not see this as the objective 
> is get the new product out.  If they would review the costs of patching 
> then issuing the patch to everyone plus the man hours they would see this 
> waste of monies.
>
> I know I am raving on so will close with I Wish You a Very Happy 
> Thanksgiving.
>
> I am happy to see subscribers again communicating on Sc-L as it was laying 
> dead in the water for a while.  Just maybe if we all put our heads 
> together we might have a solution to secured coding.
>
> Regards,
> George
> Greenarrow1
> InNetInvestigations-Forensics