Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Writing Secure Code...

from [exon] Network Security [Permanent Link]
Subject: Re: Writing Secure Code...
Date: Sun, 23 Jan 2005 21:33:41 +0100
Michael Silk wrote: 
Well, think you can agree that OSS gives access to more people, right?
I agree with you, however, that having lots of people is not
neccessarily a good idea. The key is to have it structured as well,
with reliable people doing it.


Hence the official maintainers who reviews and applies patches submitted by the efficient and manyheaded crowd of programmers enjoying OSS.

Don't get me wrong, however, I don't think that OSS is the answer to
writing more secure commercial programs, and I think that a
combination of both is probably the worst idea :) Basically because
you introduce an unstructured system into a system that requires
deadlines ... and that can only be bad :)


OSS development in general is quite structured and often applies their own deadlines. In general it works much like a small software company, where deadlines have much to say about development but customers still have the highest vote. Customer votes gets less and less important the larger the company gets. This isn't true within opensource projects where "customers" can accompany their bug reports/feature requests with code to fix/implement it. The main difference between proprietary vendors and OSS is that things gets fixed faster, and if you don't think it gets done fast enough you can always fix it yourself.

Corporations just need to forget about these quick fixes and train
their programmers to program _correctly_ (i.e: securely) and _give
them the time to do it!_. Unfortunately deadlines are a fact of
corporate life, but even so...


Good programmers should be aware of the amount of time that they need to write whatever (part of) program they are set to write. Good program team leaders should multiply the total estimate by 1.6 and add a week for every tenth programmer. Any software delivered before that deadline will contain known and varyingly easy to fix bugs and should never be released.

Anyway, it's all been said before, so ... :)

-- Michael


On Wed, 19 Jan 2005 15:16:37 -0800, David LeBlanc
<dleblanc@exchange.microsoft.com> wrote:

I'm not in my office, so this would bounce to the list  -

I disagree with the theory that OSS yields effectively more people. First, what you want is not just people, but people who understand both security AND the code. If this theory were true, we wouldn't have so many 10 year old OSS bugs. BIND and Sendmail have always been OSS, and they've both got really bad records. We run the internet on these, and if anything should be thoroughly vetted, it should be these. There are other apps that are OSS which have excellent records. As another counter-argument, I think that much of the OpenBSD security gains have come from a small group of programmers, not "many eyes" - it's been from a few very good eyes. Where we (MS) get our biggest gains is basically a 3-prong attack - threat model the design, and fix problems there. Then teach devs how to recognize security problems, and use tools to audit code and root out bad APIs. We then use fuzzers to improve test coverage. We also have groups who are dedicated to just security (that's where
I work). The more of this I do, the more I see the need for structure - along with some good old out-of-the-box hacking. 

I agree completely with your point about the trade-offs between structure 
and motivation. One advantage we have is that if we tell someone to review a 
piece of code, it isn't optional. They may or may not do an excellent job, but 
they _must_ do it. Even this isn't truly a function of OSS or not, it is a 
function of whether the devs are paid. It's possible (though not common) to 
have paid devs creating OSS.

Everyone I know at MS who programs loves to program. I think that's why we 
program computers, and that's independent of where we work. I think part of the 
problem is wrapped up in that - we all like to create new code, not maintain 
old code. So once the code exists, there is so much more to be done to get it 
secure that's often tedious and not really programming. Many OSS projects 
aren't going to be as good at getting the tedium done - if someone is giving 
you time for free, you tend to be grateful for what you get.

Just some thoughts -

________________________________

From: Michael Silk [mailto:michaelsilk@gmail.com]
Sent: Wed 1/19/2005 2:31 PM
To: David LeBlanc
Cc: secprog@securityfocus.com
Subject: RE: Writing Secure Code...

David,

Re "Processes in place ..."

But thats the point of the discussion, isn't it ?

I.e. that with OSS you will, in theory, have more people - more
_motivated_ people - looking into the code and reviewing it.

The problem is that it will typically be rather un-structured
reviewing..., corporations offer more structured ways to review the
code with the downside that sometimes the people reviewing don't care
about it's security, and corporate policits, etc.

The idea that businesses could somehow tap into this motivation by
"open sourcing" their applications is a little stupid though, because
in the end they are still driven by money, and not love of
programming. Money brings deadlines, which means less time for
reviews, fixes, etc, hence less secure code.

I definately agree with you about developer skill, however. Neither
model will be successful if the developers are terrible :)

The point is though, I suppose, that if you are motivated programmers
in a structured environment (even if it's structured to be relaxed...)
then you'll end up with better programs. It seems, however, that pure
motivation seems to beat out pure structure.

-- Michael


-----Original Message-----
From: David LeBlanc [mailto:dleblanc@exchange.microsoft.com]
Sent: Wednesday, 19 January 2005 11:45 AM
To: Sigmon Cheri Y Civ 82 CSS/SCPD :: Software Dev;
secprog@securityfocus.com
Subject: RE: Writing Secure Code...

I think the most secure apps are written by the people who
have the best developers. That's my short answer. As an
illustration, consider DNS servers. Which is more secure,
BIND, or Daniel Bernstein's DNS? They're both OSS, and I
think we'd all agree that BIND has a terrible record, and
DJB's has a very good record. Now consider Microsoft's DNS -
it's also had a very good security record, with very, very
few bulletins over the years. So which is the better
predictor of security? Business model, or developer skill? I
think it is developer skill.

One thing to add is that security isn't just developer skill.
It is design, testing, and the processes put into place to
verify whether the developer and designers made security
mistakes or not. These practices are also orthogonal to
business model. Having people poking at your software,
whether it is by reading the source or by reading the binary,
can be helpful in finding problems, but I think it is overall
less helpful than having proper processes in place to improve
security at every stage and phase of the development process,
from design to implementation to testing. So the better
question to ask is what processes are in place for a given
solution to ensure security, not whether it is based on OSS
or proprietary software.

I know this tends to be a hot-button topic, so please
redirect flames to /dev/null. This should go without saying,
but this is my personal opinion and may or may not align with
my employer's opinion and in no way should be construed as an
official statement on behalf of my employer.

-----Original Message-----
From: Sigmon Cheri Y Civ 82 CSS/SCPD :: Software Dev
[mailto:Cheri.Sigmon@langley.af.mil]
Sent: Tuesday, January 18, 2005 11:32 AM
To: 'secprog@securityfocus.com'
Subject: Writing Secure Code...

Hi, Everyone...

Happy New Year! I've been lurking for awhile... time to
"decloak" in '05.

Item: The "ongoing" debate among choices of open source vs.
proprietary (all
companies') solutions, not just the major players in the industry.

I'm certain you've seen similar situations... where there are
groups of people who are very opinionated one way or the
other. My concern is the best
solution(s) security-wise, regardless of the source. Any comments?
From a broad-brush perspective?

[snip]






[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Fwd: Re: [SC-L] ZDNnet: Securing data from the threat within [bybuying products]], George Capehart
Next by Date:  RE: Writing Secure Code..., Michael Silk
Previous by Thread:  Re: Writing Secure Code..., Michael Silk
Next by Thread:  Re: Writing Secure Code..., Chris
Indexes:  [Date] [Thread] [Top] [All Lists]