WebApp Sec mailing list archives

RE: Secure Coding? Bah!

From: "Robert Paris" <rpjava () hotmail com>
Date: Fri, 23 Jan 2004 19:03:44 +0000

The article is wrong, yet also right. It's right that most people don't careand companies couldn't care less about the security of the products theysell (not the ones they use). It's also right in that the programmers ofsoftware cannot (and largely should not) be bothered to write top securityin to their programs. If they did try to do that a few things would happen:


1. It's take a lot of their time away from writing a well stuctured program

2. They'd inevitably not understand the security implications of eachdecision they made and it would end up being poor security (with likelyother problems)

  They don't understand security well enough.

HOWEVER, the answer? We need better frameworks/languages that incorporateEASY TO USE/IMPLEMENT security architectures. For example, who here writesin Java? Have you ever tried to write a program that actually uses securitychecks in it? I mean at the Java code level, not user name password, certstuff. It's a pain in the butt, and a very poorly thought out system. Theworst thing is when I need to use third party software and MY needs forsecurity are different than from how they structured security in theirprogram. How do I implement it so that no one can add in new code thatdoesn't follow my security ideas? With Java's current security mechanism ICANNOT add security/permission checks to the third party software! Andfrankly, adding it to mine is a bit of a pain too. It should be easy, andnot involve a lot of programming on my part. It should be: plug it in andthen in an administrative fashion, add on the security. EJBs get a littlecloser to this, and that's a start.

The point is simply that the reason security is such a problem is that it'sNOT EASY. That's it. And the people to make it easy are the ones buildinglanguages (like Java), framework APIs - not the ones building programs. Bythat point it's too late.


_________________________________________________________________

Check out the new MSN 9 Dial-up fast & reliable Internet access with primefeatures! http://join.msn.com/?pgmarket=en-us&page=dialup/home&ST=1

Current thread:

Re: Secure Coding? Bah!, (continued)
- Re: Secure Coding? Bah! Chris DeVoney (Jan 22)
- Re: Secure Coding? Bah! Chris Kirschke (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 22)
  - Re: Secure Coding? Bah! Adam Tuliper (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 22)
  - RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 23)
- RE: Secure Coding? Bah! Taco Fleur (Jan 23)
- Re: Secure Coding? Bah! ONEILL David J (Jan 23)
  - Re: Secure Coding? Bah! Mike Hoskins (Jan 24)
- RE: Secure Coding? Bah! Robert Paris (Jan 23)
  - RE: Secure Coding? Bah! Tim Greer (Jan 24)
- RE: Secure Coding? Bah! Glenn_Everhart (Jan 23)
  - RE: Secure Coding? Bah! Dinis Cruz (Jan 25)