Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Writing Secure Code...

from [David LeBlanc] Network Security [Permanent Link]
Subject: RE: Writing Secure Code...
Date: Tue, 18 Jan 2005 16:44:38 -0800 
I think the most secure apps are written by the people who have the best
developers. That's my short answer. As an illustration, consider DNS
servers. Which is more secure, BIND, or Daniel Bernstein's DNS? They're
both OSS, and I think we'd all agree that BIND has a terrible record,
and DJB's has a very good record. Now consider Microsoft's DNS - it's
also had a very good security record, with very, very few bulletins over
the years. So which is the better predictor of security? Business model,
or developer skill? I think it is developer skill.

One thing to add is that security isn't just developer skill. It is
design, testing, and the processes put into place to verify whether the
developer and designers made security mistakes or not. These practices
are also orthogonal to business model. Having people poking at your
software, whether it is by reading the source or by reading the binary,
can be helpful in finding problems, but I think it is overall less
helpful than having proper processes in place to improve security at
every stage and phase of the development process, from design to
implementation to testing. So the better question to ask is what
processes are in place for a given solution to ensure security, not
whether it is based on OSS or proprietary software.

I know this tends to be a hot-button topic, so please redirect flames to
/dev/null. This should go without saying, but this is my personal
opinion and may or may not align with my employer's opinion and in no
way should be construed as an official statement on behalf of my
employer.

-----Original Message-----
From: Sigmon Cheri Y Civ 82 CSS/SCPD :: Software Dev
[mailto:Cheri.Sigmon@langley.af.mil] 
Sent: Tuesday, January 18, 2005 11:32 AM
To: 'secprog@securityfocus.com'
Subject: Writing Secure Code...

Hi, Everyone... 

Happy New Year! I've been lurking for awhile... time to "decloak" in
'05. 

Item: The "ongoing" debate among choices of open source vs. proprietary
(all
companies') solutions, not just the major players in the industry. 

I'm certain you've seen similar situations... where there are groups of
people who are very opinionated one way or the other. My concern is the
best
solution(s) security-wise, regardless of the source. Any comments? 

From a broad-brush perspective? 


[snip]
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Writing Secure Code..., Pascal Steichen
Next by Date:  Re: Writing Secure Code..., George Capehart
Previous by Thread:  Re: Writing Secure Code..., Pascal Steichen
Next by Thread:  Re: Writing Secure Code..., George Capehart
Indexes:  [Date] [Thread] [Top] [All Lists]