WebApp Sec mailing list archives

RE: Standardized Security Reference Libraries->was-> The Right Approach to Web Developer Education

From: "Arian J. Evans" <arian () anachronic com>
Date: Tue, 29 Jun 2004 21:47:18 -0500

Comments below:

What about the many 'good' and 'bad' programmers who are 'driven' to
'crunch' out code hour to hour. These programmers cannot write security
frameworks from scratch.


Well, some can; I've seen it. But,

They need help. Developers don't write GUI controls from scratch anymore.
They use toolkits.  GUI Toolkits, Security Toolkits,  far from failures!


Exactly. I 100% agree. The VB IDE doesn't exist so you can get close
to the machine or write snarling lean mean code. A whole lot of companies
like the cost of that and the guy who can use it better than a champion
C++ or Java developer. And that person isn't like to become a security
expert anytime soon, if ever. And I don't see anything wrong with that.

After reading this thread I was surprised some people were against
security libraries for an IDE. Yes, I know how they fail. And I've seen
them succeed.

One client I work with regularly has built a very mature proprietary
security framework with reusable components (like validation controls).
When they have holes in their dozens or hundreds of applications, it's
because someone didn't know to use the components, forgot to use them,
or thought they used them right and made a /mistake/.

Developers almost always have priorities other than security. Someone
said it's really a management issue. Yes and no. The business has
priorities, and if they don't value the security risks highly or just choose
to accept the risk, that's their choice.

That said, the most consistently mature environment I've tested
and reviewed applications for (and I've tested and reviewed and
retested) is the one with the standardized security libraries.

It's not a magic bullet, just like scanners. It can provide a false
sense of security, just like scanners. But it seems to work most
of the time, and when it doesn't work, the problems are more
quickly/easily fixed than most places I've seen. Security 'most
of the time' is _a_lot_ better than all the places I see that seem
to have security none of the time.

My $0.01, deprecated for lack of processing power,

Arian

(Disclaimer: My private opinions do not reflect the thoughts or
position of my employer on these subjects. etc. etc.)

Current thread:

RE: The Right Approach to Web Developer Education Burke, Charles (Jun 29)
- <Possible follow-ups>
- RE: The Right Approach to Web Developer Education Burke, Charles (Jun 29)
  - RE: Standardized Security Reference Libraries->was-> The Right Approach to Web Developer Education Arian J. Evans (Jun 30)
- RE: The Right Approach to Web Developer Education Cronican, John (Jun 29)
- RE: The Right Approach to Web Developer Education Wolf, Yonah (Jun 30)