Re: [SC-L] Genotypes and Phenotypes (Gunnar Peterson)

2009-10-14 Thread Andreas Saurwein Franci Gonçalves
2009/10/14 SC-L Reader Dave Aronson securecoding2d...@davearonson.com

 Andreas Saurwein Franci Gonçalves saurw...@gmail.com wrote
 (rearranged into  correct order):

  2009/10/13 Bobby Miller b.g.mil...@gmail.com
 
  The obvious difference is parts.  In manufacturing, things are
 assembled
  from well-known, well-specified, tested parts.  Hmmm

  Thats the idea of libraries. Well known, well specified, well tested
 parts.
  Well, whatever.

 Ideally, yes.  However, programmers love to reinvent the wheel.  It's
 MUCH easier, both to do and to get away with, in software than in
 hardware... and often necessary.

 Need a bolt of at least a given length and strength, less than a given
 diameter?  There are standard thread sizes, and people make bolts of
 most common threadings and lengths, for purchase at reasonable prices,
 at places easily found, and you can be fairly certain that any given
 one of them will do the job quite well.

 Need a function for your program?  If it's as common as a bolt, it's
 probably already built into the very language.  If it's nearly as
 common, maybe there's a fairly standard library for it... and if
 you're very lucky, it's not too buggy or brittle.  Otherwise, it's
 probably going to be much cheaper (which is all your management
 probably cares about) to just code the damn thing yourself, than to
 research who makes such a thing, which ones there are, who says which
 one is how reliable, which ones have licensing terms your company
 finds palatable, and justifying your choice to management.  Lord help
 you if it requires money, because then you have to justify it to a
 higher degree, get the beancounters involved, budgetary authority from
 possibly multiple layers of manglement, and spend the rest of your
 days filling out purchase orders.

 If you do wind up coding it yourself, is the company then going to
 make that piece of functionality available to the world separately,
 whether for profit or open source?  N times out of N+1, for very large
 values of N, no way!

 Will they at least make it available *internally*, so that *they*
 don't have to reinvent the wheel *next* time?  Again, N times out of
 N+1, for almost as large values of N, no.

 -Dave


Exactly thats the point. Going a bit further, for every piece of  hardware
engineering, there is almost always a legal, worldwide or at least national
standard to follow. This is inexistent in software.

As long as anybody with at least one healthy finger is allowed to write and
sell software, the current situation will not change.

Make software development an engineering discipline with all the rights
and obligations of other engineering sciences.

No more coding without a license. Point. This would change the landscape of
bits and bytes in a dramatic way. But it requires the support of the
governments worldwide.

My 2 cents (me too would have to get back to college and study some more,
although having 25+ years of software development experience)
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Genotypes and Phenotypes (Gunnar Peterson)

2009-10-13 Thread Andreas Saurwein Franci Gonçalves
Thats the idea of libraries. Well known, well specified, well tested parts.
Well, whatever.

2009/10/13 Bobby Miller b.g.mil...@gmail.com

 The obvious difference is parts.  In manufacturing, things are assembled
 from well-known, well-specified, tested parts.  Hmmm


 ... If you look at other things
 that people build, like oil refineries, or commercial aircraft, we can
 deal with complexity much more effectively than we can with software.
 The problem with software is that we've never learned how to control
 the side effects of choices, which we call bugs.


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Interesting article on the adoption of Software Security

2004-06-12 Thread Andreas Saurwein

Crispin Cowan wrote:
However, where ever C made an arbitrary decision (either way is just as 
good) PL/M went the opposite direction from C, making it very annoying for 
a C programmer to use.
Does that mean it did not make any decision at all? What was the outcome?
Michael S Hines wrote:
When you've been around for a while, you start to see the same features
converge..  UNIX had quotas, we got Quotas with Win XP Server (well earlier,
when you include the third party ISVs - as an add on).  IBM had Language
Environment (LE) before .NET come along.
Crispin Cowan wrote:
I think .Net borrows most heavily from Java. Java in turn borrows from 
everyone. The managed code thing in particular leads back to the Pascal 
P-code interpreter; a kludge to make the Pascal compiler easier to 
implement and port. The innovation in Java was to take this ugly kludge 
and market it as a feature :)
I'm not sure that it can be blamed on Pascal. Microsoft was shipping Excel 
for the Mac in the early 80's as P-Code application and has been selling 
P-Code generating compilers since about the same time. Ever since, MS was 
strong on P-Code generating compilers.

Michael, let me please correct two more things in your comment:
1) there is no such thing as a Windows XP server (probably you refer to 
Windows 2003 Server)
2) Quotas have been native to Windows 2000 already (lets not discuss quota 
management now...)

cheers
Andreas 




[SC-L] User Education Tool?

2004-03-04 Thread Andreas Saurwein
On a somewhat abstract line of thinking, in regards to the latest virus 
outbreaks, one idea came up which might be even useful:

I think that we all agree that the current outbreak of Netsky, Bagle and 
others is mainly because users still try to open everything they receive, 
no matter how weird it is.

Now, doing something really flashy like creating an virus like application 
as follows:
* it is sent as zipped attachment
* when opened, it brings a huge, clear message, that the user would now 
have been infected with a virus. A short, understandable message explaining 
why and how to avoid it would be appropriate.
* it asks the user for permission to forward itself to the users contacts, 
to help spreading the education.

Would that still classify as virus? Or would that pass as something else?
Would a measure like this be of any success? What other measure could reach 
the critical user groups?

Probably this has been discussed on some lists already, but didnt find any 
references.

Cheers
Andreas