[Dshield] RE: A new approach toward teaching secure coding? (WWW or otherwi se)

KeithTarrant KeithTarrant at spamcop.net
Sun Sep 8 22:09:03 GMT 2002


Alonso, a lot of buggy vulnerable code has been written by university
and college grads, including those with post graduate degrees, and
including those who graduated recently.  Look at IBM and M$.

What matters is management correctly estimating the resources
needed to do a proper job, allocating those resources, and staff
having the self-discipline to follow all the required steps for
development and structured testing.

That some people in our profession are loath to properly mentor
others and keep information secret from their teammates is a
fault in our profession, not of those trying to join it.

BTW Very witty Lane.

- Keith
----- Original Message -----
From: "Lane Weast" <lweast at leeclerk.org>
To: <list at dshield.org>
Sent: Sunday, September 08, 2002 10:23 AM
Subject: [Dshield] RE: A new approach toward teaching secure coding? (WWW
or otherwi se)


> So why don't you write the book that should be on the shelf??
>
>
> > -----Original Message-----
> > From: Alonso Robles [mailto:kha0z at earthlink.net]
> > Sent: Saturday, September 07, 2002 9:32 AM
> > To: Alex Lambert
> > Cc: jasonc at science.org; Sverre H. Huseby; webappsec at securityfocus.com;
> > secprog at securityfocus.com
> > Subject: Re: A new approach toward teaching secure coding? (WWW or
> > otherwise)
> >
> >
> > As a programmer, I firmly believe that there is no
> > substitution for the
> > formal education that as acquired by the attendance and active
> > participation in a university level (undergraduate and/or
> > postgraduate)
> > curriculum.  Perhaps, I am being to conservative about this,
> > but what I
> > have learned is that a large collection of "technical" books
> > are nothing
> > more that a quick overview and introduction to a programming language
> > using a large collection of buzz words.  There are a few select books
> > which are a good source of reference for practical uses of a language
> > while they highlight some of the more powerful features and point out
> > some of the short comings of the technology.  However, even
> > these books
> > fail to teach and/or review a practical or algorithmic approach to
> > solving a problem, much less address or explain the importance of
> > security from any approach.  Short tutorials are normally
> > approaches to
> > solving minute problems while sometimes highlighting a few
> > features of a
> > language.
> >
> > In my humble opinion, security should come naturally when a
> > classic and
> > systematic approach to solving a problem. In most computer science
> > curriculums I have seen, a good amount of time is spent in
> > teaching the
> > process of designing a program. When the steps of defining
> > the problem,
> > outlining the solution, designing the algorithms necessary to
> > solve the
> > problem, understanding the data, and constructing practical data
> > structures before any of the coding actually occurs, a large
> > number of
> > security issues are addressed at that time. Minimizing the
> > potential for
> > security risks in the code. While we all know there is no
> > such thing as
> > 100% bug free code, this process is an essential part of software and
> > application design and development. Most self taught
> > programmers never
> > find a mentor who explains this process and its importance, not to
> > mention the post coding steps that should be taken prior to releasing
> > the application or software such as debugging, documentation, and
> > testing.
> >
> > But I digress, the most elementary problem, again in my
> > opinion, lies in
> > the absence of a solid understanding of application
> > development. I have
> > found that a large number of authors, do not have the technical
> > education or experience to highlight the formal application of a
> > language in their compositions and/or short tutorials. Perhaps, a
> > friendly reminder that there is no text that is the "be all
> > powerful and
> > ultimate" reference to good and secure programming should be
> > passed to
> > the students of any curriculum and/or readers of any text.
> >
> > -Alonso
> >
> > On Friday, September 6, 2002, at 09:33  PM, Alex Lambert wrote:
> >
> > > (My apologies for the delayed response)
> > >
> > >> The reality of what you've so eloquently articulated,
> > Alex, is that
> > >> people
> > >> who write technical books often have very little, if any,
> > real-world
> > >> experience.
> > >
> > > This is unfortunate, but I don't doubt it at all -- they're out to
> > > make a
> > > buck. However, I believe that free tutorial/howto authors
> > are different;
> > > they lack the monetary incline to do a quick and dirty job. I think
> > > they're
> > > trying to act in the best interest of the coder, but aren't
> > aware of the
> > > problems that their practices cause.
> > >
> > > Informally browsing in the space of thirty minutes, I was
> > able to find a
> > > bunch of this sort of "bad" documentation:
> > >
> > > http://www.php.net/manual/en/features.cookies.php
> > > http://www.php.net/manual/en/features.http-auth.php
> > > http://www.zend.com/zend/tut/tutorial-yank.php
> > > http://www.zend.com/zend/tut/banner.php
> > >
> > http://www.melonfire.com/community/columns/trog/article.php?id
> > =129&page=8
> > >
> > http://www.melonfire.com/community/columns/trog/article.php?id
> > =18&page=6
> > > http://www.devshed.com/Server_Side/Perl/Perl101/Perl101_7/page8.html
> > > http://www.cgi101.com/class/ch18/count.txt
> > >
> > > Of course, I'm not autoritative for anyones' mindset but my
> > own. Has
> > > anyone
> > > else out there noticed the (albeit accidental) propagation of bad
> > > habits by
> > > these means? Or even attempted to contact the authors?
> > >
> > >
> > > apl
> > >
> > > ----- Original Message -----
> > > From: "Jason Coombs" <jasonc at science.org>
> > > To: "Sverre H. Huseby" <shh at thathost.com>; "Alex Lambert"
> > > <alambert at webmaster.com>
> > > Cc: <webappsec at securityfocus.com>; <secprog at securityfocus.com>
> > > Sent: Friday, August 30, 2002 6:11 PM
> > > Subject: RE: A new approach toward teaching secure coding? (WWW or
> > > otherwise)
> > >
> > >
> > >> The reality of what you've so eloquently articulated,
> > Alex, is that
> > >> people
> > >> who write technical books often have very little, if any,
> > real-world
> > >> experience. They sometimes know enough about the subject matter of
> > >> their
> > >> book to get it finished with the help of copy-and-paste from vendor
> > >> documentation. Other times not.
> > >>
> > >> The technical book market is a buzzword-compliant widget-producing
> > > machine,
> > >> with a few exceptions -- we all know who those exceptions
> > are, because
> > >> we
> > >> buy their books. And we hope someday to be worthy of writing one.
> > >>
> > >> O'Reilly, for example.
> > >> http://www.oreilly.com/
> > >>
> > >> Sincerely,
> > >>
> > >> Jason Coombs
> > >> jasonc at science.org
> > >>
> > >
> > >
> >
>
>






More information about the list mailing list