Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: What do you take for secure programming?

from [mac4-security] Network Security [Permanent Link]
Subject: Re: What do you take for secure programming?
Date: Fri, 28 Jan 2005 10:45:45 -0800 
Hi Gustavo-

I must admit that I have no idea what the difference is between coding and programming. If this is common knowledge to everyone else, please fill me in. Did I miss something when I skipped the "Introduction to C" class?

To answer the question though, to me "secure programming" means implementing code which make no assumptions. You can't assume the user input is well formatted. You can't assume that your co-workers code is bug free. You can't assume your own code is bug free. Unfortunately you can't assume the OS is secure either, so there is probably no such thing as a truly secure application. You can only hope everyone is making the same effort you are.

To that end, software should have well defined components with discreet separation and few entry points. Less code is a good thing if you feel comfortable about the libraries you are making use of. Spend a significant amount of time doing code reviews with peers, and be sure you can draw a clear picture of your architecture. If you can't, it's probably too complicated.

One rule of thumb I use when writing code is to write it from a view point where it may be available to the public at some point in the future. Even though I work on a closed source product, I make no assumption about the source code being secret. So if the code is leaked, I won't lose any sleep.

Oh, and learn from other people's mistakes! Read bugtraq, this list, etc...

Regards,
Neil


Gustavo Rios wrote: 
Hey folks,

i am very new to this mailing list, this is just my first message.
I wonder what you take for "secure programming" ?

Are you folks aware about the difference between coding and programming ?
I am sure you plenty of guys/girls here are, but it is worthy to
refresh it, isn't it ?
Don't take me wrong, please, but i do ask that cause i have heard
about many "secure programming" techniques that are simply put
misguided. And the most amazing is that there are plenty of folks
around "buying" many wrong concepts. I hope this mailing list may
clarify the ones i bought myself too (we all do, in different amounts,
of course).

Thanks for your feedback.

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: What do you take for secure programming?, Chris
Next by Date:  Betr.: Re: What do you take for secure programming?, Philip Wagenaar
Previous by Thread:  Re: What do you take for secure programming?, Chris
Next by Thread:  Betr.: Re: What do you take for secure programming?, Philip Wagenaar
Indexes:  [Date] [Thread] [Top] [All Lists]