Re: [SC-L] Yoran on the state of software security

[Kenneth R. van Wyk]

Greetings all,

I was asked to clarify what I posted yesterday re Amit Yoran's recent public 
statements on the topic of software security.

On Tuesday 20 April 2004 03:27, an SC-L reader wrote:
 Ken, could you clarify a little please?

Happy to, see below.

 I detect a slighly snide tone that suggests that you disagree with the
 assertion that it is inexplicable to produce software that suffers from
 buffer overruns.  Is that really your position?  If so, why?

Heavens no!  Sorry for the ambiguity.  Indeed, the issue of buffer overruns is 
probably the principal one that convinced me to co-author Secure Coding with 
Mark Graff.  I'd like to see them become the polio of the tech world.

What I was trying to make light about in my note is whether Yoran got that 
notion from my statement in my TechTV interview -- that we have to focus more 
of our attention at improving software security.  That was where the me 
neither... came from, because I have no delusions that he would have caught 
my segment on the show -- or that it would have influenced him in any way 
even if he had.

 Of course there are lots of other security issues (not least social
 engineering ones) but in what way is security /harmed/ by disciplined
 programming in appropriate languages supported by appropriate tools?  Our
 experience is that such rigorous software engineering approaches result in
 more robust and secure product and a significant cost saving over less
 rigorous approaches.

Yes, I fully concur.  I found it encouraging that Yoran is raising software 
security as a major issue also.  I do wish that he'd used other examples than 
only buffer overruns, but it's a good step in the right direction.  I'm 
particularly big on improving the design phase, long before any line of code
(overrun or not) has been written.

Does that help clarify my point?

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com

Re: [SC-L] Missing the point?

[Dave Aronson]

On Tue April 20 2004 12:34, Michael A. Davis wrote:

  It is not the source code that is the
  problem -- it is the developer.

The proof of the developer's grokking of secure coding, is in the code.

-- 
Dave Aronson, Senior Software Engineer, Secure Software Inc.
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
(Opinions above NOT those of securesw.com unless so stated!)
http://www.securesoftware.com is HIRING developers/auditors! 

RE: [SC-L] Missing the point?

[Alun Jones]

[EMAIL PROTECTED] wrote:
 Michael A. Davis wrote:
 Isn't she missing the point? It is not the source code that is the
 problem -- it is the developer.
 
 Well ofcause you can improve the quality of your code by
 educating your developers, but you cannot avoid doing code review.
 Developers are lazy and they will commit errors.

More to the point, they are human, and even developers that are not lazy
will occasionally make mistakes.  Simply finding a committed programmer who
understands security will not produce a secure product.

Alun.

-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | [EMAIL PROTECTED]
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.