RE: Secure Coding? Bah!

[Tim Greer <chatmaster () charter net>]

On Fri, 2004-01-23 at 11:03, Robert Paris wrote:
> The article is wrong, yet also right. It's right that most people don't care 
> and companies couldn't care less about the security of the products they 
> sell (not the ones they use). It's also right in that the programmers of 
> software cannot (and largely should not) be bothered to write top security 
> in to their programs. If they did try to do that a few things would happen:
>
> 1. It's take a lot of their time away from writing a well stuctured program

However, that is part of a well structured program and should be the
basis / foundation for design and creation.  Also, issues that arise
after releasing the software would probably account for more time,
stress and money dealing with the issue after the fact, rather than
before.  I don't think it's a matter of taking time away, that's part of
the development, it's a requirement for any software that will be in an
environment that poses a risk (i.e., not a home system with no one else
having access and not being hooked up to a network or the Internet). 
Besides, an educated programmer will know these things coming in and
moreover if they don't, they will learn them and it won't consume any
significant amount of additional time, since many issues can be dealt
with in the same (effective) ways and it gets easier.  It's a must, in
my opinion.

> 2. They'd inevitably not understand the security implications of each 
> decision they made and it would end up being poor security (with likely 
> other problems)
>    They don't understand security well enough.

Then they should not be writing code that will be released to the public
and ran on web sites / servers and networks and are publicly accessible
then, and should wait until they have the knowledge to do it properly,
in my opinion.  As for the Java example, I don't code in it, so I can't
comment or offer any meaningful response.
-- 
Tim Greer <chatmaster () charter net>