Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Writing Secure Code...

from [exon] Network Security [Permanent Link]
Subject: Re: Writing Secure Code...
Date: Mon, 24 Jan 2005 18:17:35 +0100
Michael Silk wrote: 
Exon said:

-----Original Message-----
From: exon [mailto:exon@home.se] Sent: Monday, 24 January 2005 7:34 AM
To: secprog@securityfocus.com
Subject: Re: Writing Secure Code...

Michael Silk wrote:

Well, think you can agree that OSS gives access to more 

people, right?

I agree with you, however, that having lots of people is not neccessarily a good idea. The key is to have it structured as well, with reliable people doing it.


Hence the official maintainers who reviews and applies patches submitted by the efficient and manyheaded crowd of programmers enjoying OSS.


Don't get me wrong, however, I don't think that OSS is the

answer to

writing more secure commercial programs, and I think that a combination of both is probably the worst idea :) Basically because you introduce an unstructured system into a system that requires deadlines ... and that can only be bad :)


OSS development in general is quite structured and often applies their own deadlines. 


Deadlines maybe, but what is the reprocussion if they aren't met ?
Nothing. You're not getting paid, so you don't lose many. You can just
blame it on being busy with your real work (which it probably would be
due too) ...


Not true. Many large OSS projects (Apache, Samba, Linux, GNU, openssl, openssh, ..., the list goes on and on and on) are funded by organisations and/or companies (FSF, Dell, IBM, RedHat, to name a few) that expect deadlines to be met. If they stop developing (fast enough), funds will be cut and people will lose their jobs.

Deadlines only matter if they actually need to be met, and in OSS
(i.e. free, "when you have time" development) I can't think of any
time where one would be required.


There's another reason too. The simple joy of getting a pat-on-the-back email for doing something cool/good/amusing/fun/educational or whatever. Many OSS developers hate to disappoint their users and love to bask in the questionable glory of having written the fastest and most clever traceroute program ever. No new releases means users drop out and the project dies.



The main difference between proprietary vendors and OSS is that things gets fixed faster, and if you don't think it gets done fast enough you can always fix it yourself. 


I can fix things where I work currently, myself. Whats the difference ?


You can't fix it if you bought it closed source.

The main difference between OSS and commercial is you are getting paid
for one. This affects your priorities, hence what gets attention. Need
to beat your competitor out the door, etc, etc, etc... Business
priorities outweigh the development ones.

The problem is, they shouldn't. The fact is, they will. And always
will. As long as customers are happy to receive faulty products...
Then the development issues _become_ business ones, and it will hurt
the business if they don't meet XXX standard, or whatever.


I wholeheartedly agree. Business decisions + software = shoddy implementation. OSS removes the business decisions and leaves the programmers to thrive in excellence.



Corporations just need to forget about these quick fixes and train their programmers to program _correctly_ (i.e: securely) and _give them the time to do it!_. Unfortunately deadlines are a fact of corporate life, but even so...


Good programmers should be aware of the amount of time that they need to write whatever (part of) program they are set to write. 


They do, but most (all?) managers don't care about that.


Agreed (again). Business and software only work if the money-blinded idiots of business are in the hands of software developers instead of the other way around. Programmers generally have higher IQ than the average CEO (at least in sweden where someone finally managed to brushbeat management into taking the damn test). Higher IQ generally breeds a higher fascination for discovery than it does for money. After all, any idiot knows what to do with money, but only the true genius knows what to do with a discovery.

Anyway ... Like I said, it's all been said before, so ... :)



/exon

PS.
For those of you who don't know what the true genius would do with a discovery, consider how many nobel prize winners hold patents and how many have released their findings to the world (other scientists, usually) so as to make the world a little happier for all of us.

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Writing Secure Code..., Jesper Anderson
Next by Date:  RE: Writing Secure Code..., Michael Silk
Previous by Thread:  Re: Writing Secure Code..., Jesper Anderson
Next by Thread:  RE: Writing Secure Code..., Michael Silk
Indexes:  [Date] [Thread] [Top] [All Lists]