I must admit that I have no idea what the difference is between coding
and programming. If this is common knowledge to everyone else, please
fill me in. Did I miss something when I skipped the "Introduction to C"
class?
To answer the question though, to me "secure programming" means
implementing code which make no assumptions. You can't assume the user
input is well formatted. You can't assume that your co-workers code is
bug free. You can't assume your own code is bug free. Unfortunately you
can't assume the OS is secure either, so there is probably no such thing
as a truly secure application. You can only hope everyone is making the
same effort you are.
To that end, software should have well defined components with discreet
separation and few entry points. Less code is a good thing if you feel
comfortable about the libraries you are making use of. Spend a
significant amount of time doing code reviews with peers, and be sure
you can draw a clear picture of your architecture. If you can't, it's
probably too complicated.
One rule of thumb I use when writing code is to write it from a view
point where it may be available to the public at some point in the
future. Even though I work on a closed source product, I make no
assumption about the source code being secret. So if the code is leaked,
I won't lose any sleep.
Oh, and learn from other people's mistakes! Read bugtraq, this list, etc...
Regards,
Neil
Gustavo Rios wrote:
> Hey folks,
>
> i am very new to this mailing list, this is just my first message.
> I wonder what you take for "secure programming" ?
>
> Are you folks aware about the difference between coding and programming ?
> I am sure you plenty of guys/girls here are, but it is worthy to
> refresh it, isn't it ?
> Don't take me wrong, please, but i do ask that cause i have heard
> about many "secure programming" techniques that are simply put
> misguided. And the most amazing is that there are plenty of folks
> around "buying" many wrong concepts. I hope this mailing list may
> clarify the ones i bought myself too (we all do, in different amounts,
> of course).
>
> Thanks for your feedback.
I must admit that I have no idea what the difference is between coding
and programming. If this is common knowledge to everyone else, please
fill me in. Did I miss something when I skipped the "Introduction to C"
class?
To answer the question though, to me "secure programming" means
implementing code which make no assumptions. You can't assume the user
input is well formatted. You can't assume that your co-workers code is
bug free. You can't assume your own code is bug free. Unfortunately you
can't assume the OS is secure either, so there is probably no such thing
as a truly secure application. You can only hope everyone is making the
same effort you are.
To that end, software should have well defined components with discreet
separation and few entry points. Less code is a good thing if you feel
comfortable about the libraries you are making use of. Spend a
significant amount of time doing code reviews with peers, and be sure
you can draw a clear picture of your architecture. If you can't, it's
probably too complicated.
One rule of thumb I use when writing code is to write it from a view
point where it may be available to the public at some point in the
future. Even though I work on a closed source product, I make no
assumption about the source code being secret. So if the code is leaked,
I won't lose any sleep.
Oh, and learn from other people's mistakes! Read bugtraq, this list, etc...
Regards,
Neil
Gustavo Rios wrote:
> Hey folks,
>
> i am very new to this mailing list, this is just my first message.
> I wonder what you take for "secure programming" ?
>
> Are you folks aware about the difference between coding and programming ?
> I am sure you plenty of guys/girls here are, but it is worthy to
> refresh it, isn't it ?
> Don't take me wrong, please, but i do ask that cause i have heard
> about many "secure programming" techniques that are simply put
> misguided. And the most amazing is that there are plenty of folks
> around "buying" many wrong concepts. I hope this mailing list may
> clarify the ones i bought myself too (we all do, in different amounts,
> of course).
>
> Thanks for your feedback.
[ reply ]