est to try to get it.
--- David A. Wheeler
A developer who doesn't understand anything may
just choose to override their tool, because the reasons for the limitations
haven't been explained to them.
Tools are great. But only if we educate our developers
sufficiently so they'll know how to use the tools, their
limitations, and the risks they take when overriding them.
--- David A. Wheeler
-programs/Secure-Programs-HOWTO/php.html
Historically, PHP hasn't had a wonderful track record.
On the other hand, appears they're taking security much more seriously,
and have redesigned to make that happen. Chastise people when they
deserve it, but let's also give kudos to anyone who takes security
seriously & is willing to make real changes to improve the infrastructure.
--- David A. Wheeler
enerally get a free pass ("everyone else
chose this shoddy product!"), which means that this can
_disincentivize_ vendors of popular products from fixing their
wares, and it can disincentivize competition ("no one would
be willing to risk using my new product because they might get sued").
Sigh. Nothing is simple!
Anyway, just a few thoughts.
--- David A. Wheeler
tyfocus.com since I think it's relevant to
both groups).
--- David A. Wheeler
d demonstrates it."
I think you'll find this interesting.
(Note: I posted a similar message to Bugtraq earlier, but
I thought some of you might not have seen it.)
--- David A. Wheeler
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.
in the "Works in Progress" session.
Of course, this is all WAY beyond what typical language
implementations provide developers today. But it's worth
knowing about.
--- David A. Wheeler
___
Secure Coding mailing list (SC-L)
SC-L@sec
onment.
In this sense, the .NET framework may be slightly worse off than some other
environments, which ALWAYS do runtime checks that CANNOT be disabled.
But I don't think that's the key point. The best defense is
rampant paranoia among the developers.
te until they understand the
basics of bridge-building, including how to compute and handle
loads. Software developers shouldn't graduate until they
are able to identify and handle security attacks in software,
at least the basics.
--- David A. Wheeler
___
ally. After all, if a programmer
tends to play with fire, sooner or later they
will get burned. So if you're getting THAT many false positives,
that may indicate that maybe you should change your approach to
be "safer". Also, I speculate that t
preprint
of the FIST paper you mean is here, correct?:
http://www.cigital.com/papers/download/ieees_p98_2col.pdf
--- David A. Wheeler
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/m
can guarantee it is a false positive, this is a very useful tool
indeed :-)
Indeed. Unfortunately, there seems to be a distinct shortage of software
that will trigger the false positive :-) :-).
--- David A. Wheeler
___
Secure Coding mailing list
iate
for use in voting, and the companies selling them would have known better
had they done any examination of their real requirements.
The voters were given a lemon, and they should have the right to get
their money back.
--- David A. Wheeler
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
program is working AS DESIGNED. These programs
are SPECIALLY DESIGNED to be insecure. And this was strongly
argued as a GOOD programming practice.
> People just don't care.
There, unfortunately, we agree. Though there's hope for the future.
--- David A. Wheeler
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
compilers tend to work the
same way anyway; they often have a front-end that generates one or more
intermediate forms that are easily viewed as a bytecode format, and then
compile the intermediate form(s) into a final form.
Whether or not having a standalone intermediate form is useful
depends on you
er hand, other language communities are unwilling to take
even small steps to eliminate sharp edges from their languages.
--- David A. Wheeler
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krv
quot; without also making the warning not report what it SHOULD
report. It's a classic false positive vs. false negative problem
for all static tools, made especially hard in languages where
there isn't a lot of information to work with.
--- David A. Wheeler
__
usive creation.
I wish that the C standard body would update the C library and add
an "exclusive create" capability for fopen(), so that languages
that build on fopen() can do so.
This doesn't work on at least old versions of NFS reliably,
unfortunately. I believe that's been fixed,
be reviewed, but only some get
real review. There are a number of specific OSS programs that do
markedly better than their proprietary competition in terms of security
- unsurprisingly, those tend to be the ones that HAVE received lots of
review. Conversely, there are many OSS programs (and
.).
In theory this COULD work for in-house software (military software, that
sort of thing). But you have to REALLY hide it, which is really hard to
accomplish. And one sale of the device "outside" the organization, or
one insider who releases the information, could suddenly caus
n't insert "ignore" directives, many people wouldn't use
such tools at all, and would release code with vulnerabilities that
WOULD be found by such tools.
--- David A. Wheeler
___
Secure Coding mailing list (SC-L) SC-L@securecodi
stify the claim? There IS some, but not much. We lack the scientific
information necessary to make decisions about many real-world (big)
applications, and what's worse, we lack a societal process to grow that
pool of information. I've no idea how to fix that.
--- David A. Wheeler
of
more specialized privileges to particular functions, without giving up
essential liberty. We have a long way to go in actually DOING this, but
the opportunity is there.
I do not think we need to give up our liberty just to "obtain" some
security. Benjamin Franklin already expla
ties. Of course, this didn't actually FIX the
vulnerabilities...! And my thanks to RealNetworks for coming clean
about their mistake; I'm sure they're neither the first NOR last, and we
can learn from them.
--- David A. Wheeler
___
Se
24 matches
Mail list logo