Sorry all I forgot to place the Sc-L addy when replying. Regards, George Greenarrow1 InNetInvestigations-Forensics
----- Original Message ----- From: "Greenarrow 1" <[EMAIL PROTECTED]> To: "Dana Epp" <[EMAIL PROTECTED]> Sent: Saturday, November 13, 2004 6:53 PM Subject: Re: [SC-L] Secured Coding > Hi Dana, > > This is exactly what firewalls and anti virus programs do as they need to > keep one foot ahead of the attacker. If attacked, they must immediately > create a defense against the attack, but this is where I see a fault in a > lot of programming. My thinking is who is really at fault the developer, > IT security reviewer or both? I have monitored 2 specific companies that > are in the security fields. When they create new programs one does fairly > well while the other still stay with the programming of the past soft > wares, just upgrading enough to fool the user. In my business I have > programs that can look at every piece of coding built within. It > surprises me at the total lack of revamping security in their upgrading of > programs or producing new ones. > > What I am getting at if other companies do as this, one does not wonder > secured coding is dismal. The one item I noticed that there is a high > amount of greed within certain companies. Get the product out no matter > what and if enough buyers complain then we might patch it. Naturally > speed is essential in combating a attacker but why does one company use > speed and creativity to its advantage while another one is so sloppy the > patch is actually more damaging then the attack. How do we stop this? I > am totally against suing companies that produce bad coding that results in > damage to users systems because I feel no law can be written without > creating a huge mitigation of cases no matter how minor. Companies are > afraid to share info because of infringements or copy write problems. > This can be seen all over the internet. As in the case one reader > responded that I do not have time to peruse any security newsletters. > Well, duh, are they that valuable or superior to any other developer that > 5, 10, or 15 minutes is going to destroy their day. I only subscribe to 5 > security newsletters and when there is nothing that pertains or relates to > anything I do I just delete it. But I have found some valuable info from > posts while not in the language I use but still has affects upon what I > do. > > I am not in to heavy programming but I do create soft wares and scripts > needed in computer forensics. I also use Encase which in some cases I or > my co-workers must create script to find what we are searching for. One > item is all our programs must be highly secured as we cannot leave any > evidence that we were searching ones computer for criminal prosecution. > My guidelines are that all programs created must be tested and then > reviewed, then back to the developer for corrections, then retested, > reviewed again then back to the developer. The final version than is > again tested by our CSO, which is forwarded to me and if it meets all > security guidelines it is then used by all workers. Yes this takes time > but it saves lots of work and cuts cost of having to revamp the program if > it is flawed. When a company has to patch or upgrade because of secured > coding it costs more then if they would have taken the time to secure it > correctly in the first place. Companies do not see this as the objective > is get the new product out. If they would review the costs of patching > then issuing the patch to everyone plus the man hours they would see this > waste of monies. > > I know I am raving on so will close with I Wish You a Very Happy > Thanksgiving. > > I am happy to see subscribers again communicating on Sc-L as it was laying > dead in the water for a while. Just maybe if we all put our heads > together we might have a solution to secured coding. > > Regards, > George > Greenarrow1 > InNetInvestigations-Forensics
