Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Writing Secure Code...

from [Michael Silk] Network Security [Permanent Link]
Subject: RE: Writing Secure Code...
Date: Mon, 24 Jan 2005 11:43:12 +1100 
Exon said:

-----Original Message-----
From: exon [mailto:exon@home.se] 
Sent: Monday, 24 January 2005 7:34 AM
To: secprog@securityfocus.com
Subject: Re: Writing Secure Code...

Michael Silk wrote:

Well, think you can agree that OSS gives access to more 

people, right?

I agree with you, however, that having lots of people is not 
neccessarily a good idea. The key is to have it structured as well, 
with reliable people doing it.



Hence the official maintainers who reviews and applies 
patches submitted by the efficient and manyheaded crowd of 
programmers enjoying OSS.


Don't get me wrong, however, I don't think that OSS is the 

answer to 

writing more secure commercial programs, and I think that a 
combination of both is probably the worst idea :) Basically because 
you introduce an unstructured system into a system that requires 
deadlines ... and that can only be bad :)



OSS development in general is quite structured and often 
applies their own deadlines.


Deadlines maybe, but what is the reprocussion if they aren't met ?
Nothing. You're not getting paid, so you don't lose many. You can just
blame it on being busy with your real work (which it probably would be
due too) ...

Deadlines only matter if they actually need to be met, and in OSS
(i.e. free, "when you have time" development) I can't think of any
time where one would be required.



The main difference 
between proprietary vendors and OSS is that things gets fixed 
faster, and if you don't think it gets done fast enough you 
can always fix it yourself.


I can fix things where I work currently, myself. Whats the difference ?

The main difference between OSS and commercial is you are getting paid
for one. This affects your priorities, hence what gets attention. Need
to beat your competitor out the door, etc, etc, etc... Business
priorities outweigh the development ones.

The problem is, they shouldn't. The fact is, they will. And always
will. As long as customers are happy to receive faulty products...
Then the development issues _become_ business ones, and it will hurt
the business if they don't meet XXX standard, or whatever.



Corporations just need to forget about these quick fixes and train 
their programmers to program _correctly_ (i.e: securely) and _give 
them the time to do it!_. Unfortunately deadlines are a fact of 
corporate life, but even so...



Good programmers should be aware of the amount of time that 
they need to write whatever (part of) program they are set to 
write.


They do, but most (all?) managers don't care about that.

Anyway ... Like I said, it's all been said before, so ... :)
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Writing Secure Code..., exon
Next by Date:  Re: Writing Secure Code..., Jesper Anderson
Previous by Thread:  Re: Writing Secure Code..., Chris
Next by Thread:  Re: Writing Secure Code..., Jesper Anderson
Indexes:  [Date] [Thread] [Top] [All Lists]