Secure Coding mailing list archives
Re: How do we improve s/w developer awareness?
From: ljknews <ljknews () mac com>
Date: Fri, 12 Nov 2004 12:37:49 +0000
At 2:48 PM -0500 11/11/04, Paco Hope wrote:
On 11/11/04 11:46 AM, "ljknews" <[EMAIL PROTECTED]> wrote:As a software developer, I care about such issues, but the compiliations you list are largely not applicable to the operating system and programming languages with which I work.Advisories, problems, and failures do not have involve your platform or language to be instructive. In fact, in this age of productization and commoditization of technology, many of the differences are superficial.
I am still looking for a forum that omits those problems due to choice of C and related programming languages that use null terminated string. I know that is a bad idea, and I don't do it. I am still looking for a forum that omits problems propagated over IP and related protocols. I don't do that either.
Sure, the stock exploits won't apply, or maybe the concepts need some translation, but there is absolutely a good reason to be aware of the failures in other software. The same marketing that makes us think FooBarSystems Gronkulator 4.2 is much better than Gronkulator 4.1 makes us think that security issues written up on Gronulator 4.x have nothing to do with other versions of Gronkulator, or Linux for that matter. There are a surprisingly small number of tools in hackers' toolboxes, yet they all seem to fit lots and lots of software.
I have yet to see a standard "tool" (as distinguished from social engineering technique) from elsewhere that fits VMS.
Should you join every single mailing list in the world and read every single post? No. Should you only join the security-[platform]-[language] email list for the one thing you program? Also no. Somewhere between the extremes of "read everything you can" and working with blinders on is the "right" place where you read "stuff that I'm not working on, but informs me." It's not always an easy place to find. But I reject categorical statements like the one above that appear to say "if it ain't specific to my platform, it has no value to me."
No, I am saying "the typical forum is so full of irrelevant material that it is a waste of my time that should be spent elsewhere". -- Larry Kilgallen
Current thread:
- How do we improve s/w developer awareness? Kenneth R. van Wyk (Nov 11)
- Re: How do we improve s/w developer awareness? ljknews (Nov 11)
- Re: How do we improve s/w developer awareness? Paco Hope (Nov 11)
- Re: How do we improve s/w developer awareness? ljknews (Nov 12)
- Re: How do we improve s/w developer awareness? M Taylor (Nov 12)
- Re: How do we improve s/w developer awareness? ljknews (Nov 12)
- Re: How do we improve s/w developer awareness? Paco Hope (Nov 11)
- Re: How do we improve s/w developer awareness? ljknews (Nov 11)
- Re: How do we improve s/w developer awareness? Greenarrow 1 (Nov 29)
- <Possible follow-ups>
- Re: How do we improve s/w developer awareness? Yousef Syed (Nov 12)
- Re: How do we improve s/w developer awareness? Gunnar Peterson (Nov 12)
- Re: How do we improve s/w developer awareness? Jeff Williams (Nov 12)
- Re: How do we improve s/w developer awareness? Gunnar Peterson (Nov 12)
- RE: How do we improve s/w developer awareness? Aleksander P. Czarnowski (Nov 14)
- Re: How do we improve s/w developer awareness? Gunnar Peterson (Nov 12)