|
Secure Programming
Writing Secure code Dec 27 2002 12:46PM Rahul Chander Kashyap (rahul nsecure net) (6 replies) Re: Writing Secure code Dec 27 2002 06:03PM Valdis Kletnieks vt edu (2 replies) RE: Writing Secure code Dec 27 2002 08:51PM Roger Alexander (rta cs colostate edu) (1 replies) RE: Writing Secure code Dec 30 2002 12:41PM Matt McClellan (mmcclellan nfr com) (2 replies) Re: Writing Secure code Dec 27 2002 05:43PM John Viega (viega list org) (2 replies) |
|
|
Privacy Statement |
First of all i'm thankful to all for responding to my query. Well this shows
one thing for sure..we share similar concerns :-)
Actually i'm quite surprised that no one as yet has said that yes! we follow
some standards to <or rather attempt to>make our coding more secure.
So, how about directing our focus with a aim at reaching a
methodology/conclusion as to what can be done (by us + others) to say bring
up some ideas of some kind of a standard/practice which aims at following
certain guidelines to be taken at the design stage of any software
development process that could help us prevent the code getting
exploited.(If something like this already exists please do let me know..this
shall save a lot of time!).
yes there are books..i agree but then if we follow something as a standard
i'm sure that it shall be more universally accepted and we also cud improve
on those!
These practices cud also be platform dependent.
I wud like to add here that Yes! i agree with all those who say that what if
the OS itself is to blame,the libraries are buggy,etc.etc..But from our/the
developer point of view shudn't we have a practice that shud be adhered to??
(Say this could start from as simple a thing like ONLY using checked
functions like strncpy() instead of strcpy.)
And yes let us not focus on the *buggy* aspect of the code because out here
we're trying to make sure that what we've written is not exploitable due to
*holes* left by the coder. Someone put it very well :
* Reliable: something that does everything it is specified to do.
* Secure : something that does everything it is specified to do..and
nothing else.
I agree that there is a very thin line between the two ;-)
please do let me know what u people feel of this proposal. I'm open to
forming a group (if required) and doing some kind of research on this
aspect.
I too believe that *absolute security is a myth*, but i do believe in taking
some steps so as to reach as close as possible to say *high grade security!*
:o) Any takers on this???
Have a fabulous new year!
Regards,
Rahul C. Kashyap
Software Developer
www.nsecure.net
-------------------
Layered Defence
-------------------
[ reply ]