Secure Coding mailing list archives
RE: Is developer education a lost cause?
From: "Michael S Hines" <mshines () purdue edu>
Date: Fri, 23 Jan 2004 14:30:09 +0000
So long as you include the analysts in that definition of developers... Then I agree with you. Many of our problems are a result of bad specifications.(the error of omission (in specs) - followed by the error of assumption (in code)) The example in the VanWyk book 'Secure Coding' (SYN flood) for example - assumes the error was in testing - however the specifications never addresses what to do about incomplete handshake protocols - a simple 'drop it' would have saved many people much grief (this is the classic DDoS attack). Personally, I believe the problem starts much earlier in the development cycle. Of course there are plenty of opportunities for error all along the product production phases (code, unit test, integration test, QA, implementation). MSH ----------------------------------- Michael S Hines [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Teff Sent: Thursday, January 22, 2004 9:59 PM To: [EMAIL PROTECTED] Subject: Re: [SC-L] Is developer education a lost cause? I beleive that educating developers is the single best method to improve the security of software. Corners get cut every day because of constraints of one type or another. That is a fact of life and I don't see it going away. By educating the builders of the code, at least they understand what is possible and can start taking better precautions. By educating the decision makers, we can start redefining which corners just can't be cut. Or at least what the risks are if they are cut. There are too many instances where decisions are made because the potential result is not understood. Part of my job is to educate developers and architects about web application security. It is amazing how many do not understand the weaknesses of various technologies. There is tendency for developers to only think in terms of how thier software should be used; not in how someone may misuse it. This tendency causes vulnerabilities like SQL Injection, command injection, cross-site cripting, buffer overflows, hidden field/parameter/cookie tampering, direct browsing, directory traversal, etc. That doesn't mean they will write 100% safe code forever. Most developers tend to program more defensively once they are exposed to the possibility of vulnerable practices. My next goal is to start educating the decision makers. joe teff
Current thread:
- Is developer education a lost cause? Kenneth R. van Wyk (Jan 22)
- RE: Is developer education a lost cause? Jason Wilcox (Jan 22)
- Re: Is developer education a lost cause? Joe Teff (Jan 22)
- RE: Is developer education a lost cause? Michael S Hines (Jan 23)
- Re: Is developer education a lost cause? Pascal Meunier (Jan 23)
- Re: Is developer education a lost cause? Chris Wysopal (Jan 23)
- Re: Is developer education a lost cause? George Capehart (Jan 23)
- <Possible follow-ups>
- RE: Is developer education a lost cause? Robert Shields (Jan 23)
- Re: Is developer education a lost cause? Richard Moore (Jan 23)
- RE: Is developer education a lost cause? Giri, Sandeep (Jan 23)
- RE: Is developer education a lost cause? Robert Shields (Jan 23)
- Re: Is developer education a lost cause? Gary McGraw (Jan 23)
- RE: Is developer education a lost cause? Jeremy Epstein (Jan 30)
- Re: Is developer education a lost cause? der Mouse (Jan 31)
(Thread continues...)