Secure Coding mailing list archives

Re: Re: Application Insecurity --- Who is at Fault?

From: Michael Silk <michaelslists () gmail com>
Date: Tue, 12 Apr 2005 04:11:11 +0100

Dave,

On Apr 11, 2005 9:58 PM, Dave Paris <[EMAIL PROTECTED]> wrote:

The programmer is neither the application architect nor the system
engineer.


In some cases he is. Either way, it doesn't matter. I'm not asking the
programmer to re-design the application, I'm asking them to just
program the design 'correctly' rather than 'with bugs' (or - security
problems). Sometimes they leave 'bugs' because they don't know any
better, so sure, train them. [oops, I'm moving off the point again].
All I mean is that they don't need to be the architect or engineer to
have their decisions impact the security of the work.

If
security is designed into the system and the programmer fails to code to
the specification, then the programmer is at fault.


Security can be design into the system in many ways: maybe the manager
was vauge in describing it, etc, etc. I would question you if you
suggested to me that you always assume to _NOT_ include 'security' and
only _DO_ include security if someone asks. For me, it's the other way
round - when receiving a design or whatever.

While there are cases that the programmer is indeed at fault (as can
builders be), it is _far_ more often the case that the security flaw (or
lack of security) was designed into the system by the architect and/or
engineer.


So your opinion is that most security flaws are from bad design?
That's not my experience at all...

What are you classifying under that?

It's also much more likely that the "foreman" (aka
programming manager) told the builder (programmer) to take shortcuts to
meet time and budget -


Maybe, but the programmer should not allow 'security' to be one of
these short-cuts. It's just as crucial to the finsihed application as
implementing that method to calculate the Net Proceedes or something.
The manager wouldn't allow you to not do that; what allow them to
remove so-called 'Security' (in reality - just common sense of
validating inputs, etc.).

-- Michael

Current thread:

Re: Application Insecurity --- Who is at Fault?, (continued)
- - - Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 07)
    - Re: Application Insecurity --- Who is at Fault? Margus Freudenthal (Apr 07)
    - Re: Application Insecurity --- Who is at Fault? dtalk-ml (Apr 10)
    - Re: Application Insecurity --- Who is at Fault? ljknews (Apr 10)
    - RE: Re: Application Insecurity --- Who is at Fault? Edward Rohwer (Apr 10)
    - Re: Re: Application Insecurity --- Who is at Fault? Crispin Cowan (Apr 11)
    - Re: Re: Application Insecurity --- Who is at Fault? Kenneth R. van Wyk (Apr 11)
    - Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 11)
    - Re: Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 11)
    - RE: Re: Application Insecurity --- Who is at Fault? Chris Matthews (Apr 11)
    - Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 11)
    - Re: Re: Application Insecurity --- Who is at Fault? der Mouse (Apr 12)
    - Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 12)
    - Re: Re: Application Insecurity --- Who is at Fault? der Mouse (Apr 12)
    - Adding some unexpected reliability expectations ljknews (Apr 13)
    - Re: Adding some unexpected reliability expectations Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 13)
    - Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 13)
    - Re: Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 13)
    - Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 14)
    - Re: Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 14)
    - Re: Re: Application Insecurity --- Who is at Fault? Damir Rajnovic (Apr 11)

(Thread continues...)