[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Coding securely, was Linux (in)security

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Coding securely, was Linux (in)security
From: coderman <coderman@charter.net>
Date: Sun, 26 Oct 2003 18:56:53 -0800

Paul Schmehl wrote:

If the input is *known* or has already been validated, why would you need to check it? My point is, if you can't know what the input will be, you *must* check it. The problem is that many programmers don't think like hackers. They write code as if every user will input the correct data because, after all, they're trying to use it, not abuse it.

That, of course, fails with the first person who types something incorrectly on the keyboard (intentionally or unintentionally) or when the input from some device is different than what the programmer thought it could ever be (for whatever reason.)

Secure programming requires additional skill and focus during design, development, testing and configuration. Ultimately the market decides winners in the software space, and everyone needs to see security as a feature worth paying more for, in terms of employees designing and building the systems, to QA testers performing thorough audits before deployment to users comparing choices in the corporate or consumer software space.

I think the software market (consumers and producers) are equaly responsible for the state of security - it costs more time and money and skill to build secure systems: are people paying more for the secure alternatives on the market? do people make a thorough effort to address security before purchase? Until the answer is yes, the current method will remain the market leader. Those that ignore security (to the extent they can) will come to market faster and cheaper than their more secure alternatives.

[ i'm also conviently ignoring monopoly considerations, etc ]

Security is a hard problem, and somehow we need to make it coherent and valuable in the eyes of everyone involved. (I don't have the answer, and its certainly not just a software problem)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
  - From: "Bill Royds" <full-disclosure@royds.net>
- Re: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
  - From: Paul Schmehl <pauls@utdallas.edu>
- Re: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
  - From: Brett Hutley <brett@hutley.net>
- [Full-Disclosure] Coding securely, was Linux (in)security
  - From: Paul Schmehl <pauls@utdallas.edu>

Prev by Date: [Full-Disclosure] Coding securely, was Linux (in)security
Next by Date: RE: [Full-Disclosure] Coding securely, was Linux (in)security
Previous by thread: [Full-Disclosure] Coding securely, was Linux (in)security
Next by thread: Re: [Full-Disclosure] Coding securely, was Linux (in)security
Index(es):
- Date
- Thread