Coding, i believe is about Programming Language Syntax. Programming is
about formal math manipulation. This is what i believe to be.
Secure programming is nothing but prevent your software does not take
into an undesireable condition (i call them a predicate). I am so
frustated about current software quality i decide to to wait for
others' improvements. Very few software around have close to decent
quality, and even that it is not enough. Some are: OpenBSD, DJB tools,
Knuth Tex......
I meant: close to decent. It is not adequate yet.
I started to writing many programs i am in need. This is the kind of
jobs people around labels me nerd, insane and the like stupid offence.
I don't care, altough is job for the very patiente.
Some books that allowed me to have very different perspective about
programming are:
A Logical Approach to Discrete Math, David Gries.
The Science of Programming, David Gries.
Predicate Calculus and Program Semantics, Dijkstra
A Discipline of Programming, Dijkstra
Formal Development of Programs and Proofs, Dijkstra.
Altough is very hard to be 100% rigorous, they all - no exception - helps a lot.
For those interested in doing serious secure programming, i am
confident to suggest them, if you would allow.
Important to know these books is all about about programming, not
about coding, i.e., no particular language syntax is taken into place.
I hope it helps.
PS: As soon as i have some result to show, i may post a url for those
to play with my software.
On 1/28/05, mac4-security@theory.org <mac4-security@theory.org> wrote:
Hi Gustavo-
I must admit that I have no idea what the difference is between coding
and programming. If this is common knowledge to everyone else, please
fill me in. Did I miss something when I skipped the "Introduction to C"
class?
To answer the question though, to me "secure programming" means
implementing code which make no assumptions. You can't assume the user
input is well formatted. You can't assume that your co-workers code is
bug free. You can't assume your own code is bug free. Unfortunately you
can't assume the OS is secure either, so there is probably no such thing
as a truly secure application. You can only hope everyone is making the
same effort you are.
To that end, software should have well defined components with discreet
separation and few entry points. Less code is a good thing if you feel
comfortable about the libraries you are making use of. Spend a
significant amount of time doing code reviews with peers, and be sure
you can draw a clear picture of your architecture. If you can't, it's
probably too complicated.
One rule of thumb I use when writing code is to write it from a view
point where it may be available to the public at some point in the
future. Even though I work on a closed source product, I make no
assumption about the source code being secret. So if the code is leaked,
I won't lose any sleep.
Oh, and learn from other people's mistakes! Read bugtraq, this list, etc...
Regards,
Neil
Gustavo Rios wrote:
Hey folks,
i am very new to this mailing list, this is just my first message.
I wonder what you take for "secure programming" ?
Are you folks aware about the difference between coding and programming ?
I am sure you plenty of guys/girls here are, but it is worthy to
refresh it, isn't it ?
Don't take me wrong, please, but i do ask that cause i have heard
about many "secure programming" techniques that are simply put
misguided. And the most amazing is that there are plenty of folks
around "buying" many wrong concepts. I hope this mailing list may
clarify the ones i bought myself too (we all do, in different amounts,
of course).
Thanks for your feedback.
