WebApp Sec mailing list archives
RE: Secure Coding? Bah!
From: Tim Greer <chatmaster () charter net>
Date: 23 Jan 2004 14:29:54 -0800
On Fri, 2004-01-23 at 11:03, Robert Paris wrote:
The article is wrong, yet also right. It's right that most people don't care and companies couldn't care less about the security of the products they sell (not the ones they use). It's also right in that the programmers of software cannot (and largely should not) be bothered to write top security in to their programs. If they did try to do that a few things would happen: 1. It's take a lot of their time away from writing a well stuctured program
However, that is part of a well structured program and should be the basis / foundation for design and creation. Also, issues that arise after releasing the software would probably account for more time, stress and money dealing with the issue after the fact, rather than before. I don't think it's a matter of taking time away, that's part of the development, it's a requirement for any software that will be in an environment that poses a risk (i.e., not a home system with no one else having access and not being hooked up to a network or the Internet). Besides, an educated programmer will know these things coming in and moreover if they don't, they will learn them and it won't consume any significant amount of additional time, since many issues can be dealt with in the same (effective) ways and it gets easier. It's a must, in my opinion.
2. They'd inevitably not understand the security implications of each decision they made and it would end up being poor security (with likely other problems) They don't understand security well enough.
Then they should not be writing code that will be released to the public and ran on web sites / servers and networks and are publicly accessible then, and should wait until they have the knowledge to do it properly, in my opinion. As for the Java example, I don't code in it, so I can't comment or offer any meaningful response. -- Tim Greer <chatmaster () charter net>
Current thread:
- Re: Secure Coding? Bah!, (continued)
- Re: Secure Coding? Bah! Chris Kirschke (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 22)
- Re: Secure Coding? Bah! Adam Tuliper (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 22)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 23)
- RE: Secure Coding? Bah! Taco Fleur (Jan 23)
- Re: Secure Coding? Bah! ONEILL David J (Jan 23)
- Re: Secure Coding? Bah! Mike Hoskins (Jan 24)
- RE: Secure Coding? Bah! Robert Paris (Jan 23)
- RE: Secure Coding? Bah! Tim Greer (Jan 24)
- RE: Secure Coding? Bah! Glenn_Everhart (Jan 23)
- RE: Secure Coding? Bah! Dinis Cruz (Jan 25)