On 17:34:11 Dec 14, bofh wrote: > Heh. I think we're having far too much fun in the other threads.
You mean threads or thread? ;) ha ha > I > have a serious question. Shoot. > I'm a mangler in a largish company. We have > developers, and contractors. No coding standards and all that, so, > things are... messy. But of course yes. ;) > I'm not in charge of development, but I want to help them develop > something useful, and secure. Other than doing a braindump of the > developers here, what are the things that you people have found useful > to have in secure programming practises? Some of the things like privilege separation, privilege revocation, using OpenBSD's gcc, using strl* and strn* functions, giving enough headroom for buffers instead of being stingy in buffer sizes as they are allocated on the stack anyway and so on and so forth... Making things really simple and straight forward. Use a good programming language and write less code.... I could go on. ;) > I'm looking for advice, tips, procedures, processes, whatever. I will > be looking through my old notes from Matt Bishop's class at SANS, and > other things I've gathered throughout the years. I have been doing security programming for a decade now but nothing comes even remotely close to OpenBSD's standards. I would say just dump those lessons and look at /usr/src/sys... ;) > Unfortunately, it's rather flat here, so I can't even invite Theo to > come by and give a talk. ;) Best of luck! -Girish
