Coding, i believe is about Programming Language Syntax. Programming is
about formal math manipulation. This is what i believe to be.

Secure programming is nothing but prevent your software does not take
into an undesireable condition (i call them a predicate). I am so
frustated about current software quality i decide to to wait for
others' improvements. Very few software around have close to decent
quality, and even that it is not enough. Some are: OpenBSD, DJB tools,
Knuth Tex......

I meant: close to decent. It is not adequate yet.

I started to writing many programs i am in need. This is the kind of
jobs people around labels me nerd, insane and the like stupid offence.
I don't care, altough is job for the very patiente.

Some books that allowed me to have very different perspective about
programming are:

A Logical Approach to Discrete Math, David Gries.
The Science of Programming, David Gries.
Predicate Calculus and Program Semantics, Dijkstra
A Discipline of Programming, Dijkstra
Formal Development of Programs and Proofs, Dijkstra.

Altough is very hard to be 100% rigorous, they all - no exception - helps a lot.

For those interested in doing serious secure programming, i am
confident to suggest them, if you would allow.

Important to know these books is all about about programming, not
about coding, i.e., no particular language syntax is taken into place.

I hope it helps.

PS: As soon as i have some result to show, i may post a url for those
to play with my software.

On 1/28/05, mac4-security (at) theory (dot) org [email concealed] <mac4-security (at) theory (dot) org [email concealed]> wrote:
> Hi Gustavo-
>
> I must admit that I have no idea what the difference is between coding
> and programming. If this is common knowledge to everyone else, please
> fill me in. Did I miss something when I skipped the "Introduction to C"
> class?
>
> To answer the question though, to me "secure programming" means
> implementing code which make no assumptions. You can't assume the user
> input is well formatted. You can't assume that your co-workers code is
> bug free. You can't assume your own code is bug free. Unfortunately you
> can't assume the OS is secure either, so there is probably no such thing
> as a truly secure application. You can only hope everyone is making the
> same effort you are.
>
> To that end, software should have well defined components with discreet
> separation and few entry points. Less code is a good thing if you feel
> comfortable about the libraries you are making use of. Spend a
> significant amount of time doing code reviews with peers, and be sure
> you can draw a clear picture of your architecture. If you can't, it's
> probably too complicated.
>
> One rule of thumb I use when writing code is to write it from a view
> point where it may be available to the public at some point in the
> future. Even though I work on a closed source product, I make no
> assumption about the source code being secret. So if the code is leaked,
> I won't lose any sleep.
>
> Oh, and learn from other people's mistakes! Read bugtraq, this list, etc...
>
> Regards,
> Neil
>
>
> Gustavo Rios wrote:
> > Hey folks,
> >
> > i am very new to this mailing list, this is just my first message.
> > I wonder what you take for "secure programming" ?
> >
> > Are you folks aware about the difference between coding and programming ?
> > I am sure you plenty of guys/girls here are, but it is worthy to
> > refresh it, isn't it ?
> > Don't take me wrong, please, but i do ask that cause i have heard
> > about many "secure programming" techniques that are simply put
> > misguided. And the most amazing is that there are plenty of folks
> > around "buying" many wrong concepts. I hope this mailing list may
> > clarify the ones i bought myself too (we all do, in different amounts,
> > of course).
> >
> > Thanks for your feedback.
>
>

[ reply ]