Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]
On 10/28/06, David Crocker [EMAIL PROTECTED] wrote: Crispin Cowan wrote: For me, the enemy in the room is C++. It gives you the safety of C with the performance of SmallTalk. There is no excuse at all to be writing anything in C++ yet vastly too many applications are written in C++ anyway. Instead of trying to coax developers to switch from C++ to something weird like SML, lets encourage them to switch to Java or C#, which are closer to their experience. Unfortunately, there are at least two situations in which C++ is a more suitable alternative to Java and C#: - Where performance is critical. Run time of C# code (using the faster .NET 2.0 runtime) can be as much as double the run time of a C++ version of the same algorithm. Try telling a large company that it must double the size of its compute farms so you can switch to a better programming language! Don't go there, sister. Come up with some reasonable tests before making a statement like that. Assembly code can be as much as a million times faster then the run time of a C++ version of the same algorithm. Bit useless, isn't it? Lets not forget that writing faster/more optimised code in c++ will be more complex and hence allow room for more errors then letting the c#/java runtime optimiser do the dirty work for us. However, I suspect that most security-critical programs do not fall into either of these categories, What? Cryptography rings a bell ... so C# or Java would indeed be a better choice than C++ for those programs. David Crocker, Escher Technologies Ltd. Consultancy, contracting and tools for dependable software development www.eschertech.com -- mic ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]
Crispin, It is most certainly true that C++ can be appropriate in those cases. C++ programs can perform just as well as C programs, while also being much better structured. Of course, it will be necessary to avoid performing frequent allocation and deallocation of heap memory in the C++ program - but the same is true of C programs. Poorly-performing programs can be written in either language. David Crocker, Escher Technologies Ltd. Consultancy, contracting and tools for dependable software development www.eschertech.com -Original Message- From: Crispin Cowan [mailto:[EMAIL PROTECTED] Sent: 03 November 2006 04:46 To: David Crocker Cc: 'Secure Coding' Subject: Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] David Crocker wrote: Unfortunately, there are at least two situations in which C++ is a more suitable alternative to Java and C#: - Where performance is critical. Run time of C# code (using the faster .NET 2.0 runtime) can be as much as double the run time of a C++ version of the same algorithm. Try telling a large company that it must double the size of its compute farms so you can switch to a better programming language! - In hard real-time applications where garbage collection pauses cannot be tolerated. Except that in both of those cases, C++ is not appropriate either. That is a case for C. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]
David Crocker wrote: Unfortunately, there are at least two situations in which C++ is a more suitable alternative to Java and C#: - Where performance is critical. Run time of C# code (using the faster .NET 2.0 runtime) can be as much as double the run time of a C++ version of the same algorithm. Try telling a large company that it must double the size of its compute farms so you can switch to a better programming language! - In hard real-time applications where garbage collection pauses cannot be tolerated. Except that in both of those cases, C++ is not appropriate either. That is a case for C. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]
Crispin Cowan wrote: For me, the enemy in the room is C++. It gives you the safety of C with the performance of SmallTalk. There is no excuse at all to be writing anything in C++ yet vastly too many applications are written in C++ anyway. Instead of trying to coax developers to switch from C++ to something weird like SML, lets encourage them to switch to Java or C#, which are closer to their experience. Unfortunately, there are at least two situations in which C++ is a more suitable alternative to Java and C#: - Where performance is critical. Run time of C# code (using the faster .NET 2.0 runtime) can be as much as double the run time of a C++ version of the same algorithm. Try telling a large company that it must double the size of its compute farms so you can switch to a better programming language! - In hard real-time applications where garbage collection pauses cannot be tolerated. However, I suspect that most security-critical programs do not fall into either of these categories, so C# or Java would indeed be a better choice than C++ for those programs. David Crocker, Escher Technologies Ltd. Consultancy, contracting and tools for dependable software development www.eschertech.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]
Larry Kilgallen wrote: Is there participation on this list from the (hopefully larger number of) CMU instructors who are teaching people to use safer languages in the first place ? May anybody not from CMU enter the discussion about safer languages? ;-) I'm in favor of SML, as it has a number of implementations (some of them comparable to C in speed) and a formal definition (well-typed programs do not go wrong) + a standard library. But I do see it's hard to push it in industry. Managers like industry best practice so that they need not take risk. Or, better say, they take the risks everybody else takes just probably are not aware of this. From the human resources point of view it's not that easy to find experienced sml programmers as there are very few companies who employ such creatures. Vicious circle, you know. Regarding the programming environment and libraries: it's just not a research act to develop such things for sml anymore, so academics will not pursue it. I've heard of an NSF infrastructure grant to develop eclipse plugin for sml, though. Industry has not catched upon yet, nor the OSS community. And, just as an aside: I've heard a story that some cs celebrity (Dijkstra?) once coined some conditions for a programming language to be successful. The last clause was IBM should love it. Yep, we've seen this with Java. Anybody from IBM? - Gergely ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]
At 12:11 PM -0400 10/13/06, James Walden wrote: you really have to use C because it's the only thing that will do, That seems extremely improbable. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]
On 10/12/06, Craig E. Ward [EMAIL PROTECTED] wrote: I don't think saying use safer languages is a good way to say it.It would help conditions significantly if greater care were taken tomatch the choice of programming language to the problem to be solved or application to be created. If a language like C is mostappropriate, then use it, just be sure to take the extra steps neededto develop it securely.I agree that the programming language should be chosen to match the problem, though it's worth pointing out that security is typically part of the problem to be solved. There are safer systems programming languages than C, such as D and Cyclone. If you've considered the alternatives and you really have to use C because it's the only thing that will do, then yes, use it and be sure to use it securely and verify that fact with static analysis tools and code reviews. James ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]
At 9:02 PM +1000 10/13/06, mikeiscool wrote: On 10/13/06, Craig E. Ward [EMAIL PROTECTED] wrote: At 10:03 AM -0400 10/12/06, ljknews wrote: At 9:20 AM -0400 10/12/06, Robert C. Seacord wrote: I'm also teaching a course at CMU in the spring on Secure Coding in C and C++. Is there participation on this list from the (hopefully larger number of) CMU instructors who are teaching people to use safer languages in the first place ? -- Larry Kilgallen I don't think saying use safer languages is a good way to say it. It would help conditions significantly if greater care were taken to match the choice of programming language to the problem to be solved or application to be created. If a language like C is most appropriate, then use it, just be sure to take the extra steps needed to develop it securely. The problem is so much the programming languages as it is the way they are used. Well, programming languages can go a long way to helping solve the problem, and it can be reasonably grey as to where to use what. Should I use php or ror? or python? or c#? I'd say there is a very appropriate and open space for nice secure languages to live and develop. I think that's what I was trying to say. The last sentence of my note has an error. I meant to write The problem is not so much the programming languages as it is the way they are used. Sorry for the bad proof reading. Also, in the IEEE Software July/August 2006 issue in the Tools of the Trade department, Diomidis Spinellis discusses several factors to consider when selecting a programming language for a particular project. Those plus security make for some reasonable criteria to use. Craig -- Internet: [EMAIL PROTECTED] If a program has not been specified, it cannot be incorrect; it can only be surprising. (Young, Boebert, and Kain) ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]
At 10:03 AM -0400 10/12/06, ljknews wrote: At 9:20 AM -0400 10/12/06, Robert C. Seacord wrote: I'm also teaching a course at CMU in the spring on Secure Coding in C and C++. Is there participation on this list from the (hopefully larger number of) CMU instructors who are teaching people to use safer languages in the first place ? -- Larry Kilgallen I don't think saying use safer languages is a good way to say it. It would help conditions significantly if greater care were taken to match the choice of programming language to the problem to be solved or application to be created. If a language like C is most appropriate, then use it, just be sure to take the extra steps needed to develop it securely. The problem is so much the programming languages as it is the way they are used. Craig -- Internet: [EMAIL PROTECTED] If a program has not been specified, it cannot be incorrect; it can only be surprising. (Young, Boebert, and Kain) ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]
On 10/13/06, Craig E. Ward [EMAIL PROTECTED] wrote: At 10:03 AM -0400 10/12/06, ljknews wrote: At 9:20 AM -0400 10/12/06, Robert C. Seacord wrote: I'm also teaching a course at CMU in the spring on Secure Coding in C and C++. Is there participation on this list from the (hopefully larger number of) CMU instructors who are teaching people to use safer languages in the first place ? -- Larry Kilgallen I don't think saying use safer languages is a good way to say it. It would help conditions significantly if greater care were taken to match the choice of programming language to the problem to be solved or application to be created. If a language like C is most appropriate, then use it, just be sure to take the extra steps needed to develop it securely. The problem is so much the programming languages as it is the way they are used. Well, programming languages can go a long way to helping solve the problem, and it can be reasonably grey as to where to use what. Should I use php or ror? or python? or c#? I'd say there is a very appropriate and open space for nice secure languages to live and develop. Craig -- mic ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]
On Wed, 11 Oct 2006, Gary McGraw wrote: We're working on it! The problem is not simply a book. Great! What are you guys doing? What more can be done? There are quite a few of us willing to help, and I figure, starting with the books future programmers learn from is not a bad idea. This community is perfect for this job. Gadi. gem -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Wed Oct 11 20:58:12 2006 To: Kenneth Van Wyk Cc: Secure Coding Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] So, how can we edit current basic programming college books to present secure code, a couple of words of the correct way of doing things, and a whole new chapter on secure coding (which may be redudndent?) How do we start? Some Whiley book for introduction to CS? Any volunteers to get this on the road? Gadi. On Wed, 11 Oct 2006, Kenneth Van Wyk wrote: So here's a lovely statistic for the software community to hang its hat on: http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed Among other things, the article says, Atlanta-based ISS, which is being acquired by IBM, predicts there will be a 41 percent increase in confirmed security faults in software compared with 2005. That year, in its own turn, saw a 37 percent rise over 2004. Of course, the real losers in this are the software users, who have to deal with the never ending onslaught of bugs and patches from their vendors. We've just _got_ to do better, IMHO, and automating the patch process is not the answer. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]
We're working on it! The problem is not simply a book. gem -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Wed Oct 11 20:58:12 2006 To: Kenneth Van Wyk Cc: Secure Coding Subject:[SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] So, how can we edit current basic programming college books to present secure code, a couple of words of the correct way of doing things, and a whole new chapter on secure coding (which may be redudndent?) How do we start? Some Whiley book for introduction to CS? Any volunteers to get this on the road? Gadi. On Wed, 11 Oct 2006, Kenneth Van Wyk wrote: So here's a lovely statistic for the software community to hang its hat on: http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed Among other things, the article says, Atlanta-based ISS, which is being acquired by IBM, predicts there will be a 41 percent increase in confirmed security faults in software compared with 2005. That year, in its own turn, saw a 37 percent rise over 2004. Of course, the real losers in this are the software users, who have to deal with the never ending onslaught of bugs and patches from their vendors. We've just _got_ to do better, IMHO, and automating the patch process is not the answer. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]
On 10/12/06, Gadi Evron [EMAIL PROTECTED] wrote: So, how can we edit current basic programming college books to present secure code, a couple of words of the correct way of doing things, and a whole new chapter on secure coding (which may be redudndent?) How do we start? Some Whiley book for introduction to CS? Any volunteers to get this on the road? Secure programming is good programming. Most books teach good programming. People just don't care. Gadi. -- mic ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]
Gadi, I sort of agree with mic that the problem is poor programming. My last manager liked to pick up C text books at random and point out all the vulnerabilities in the code examples that are being used to teach the next generation of programmers (how to write vulnerabilities). This community is perfect for this job. If the community is bored right now ;^) we are looking for community help to build up our knowledge of secure coding rules and recommendations for the C and C++ programming languages: www.securecoding.cert.org I'm also teaching a course at CMU in the spring on Secure Coding in C and C++. I'm hoping to take this material and incorporate it into the course. Once I get some experience teaching the material, I could help turn it into a college text. (I've written three books already, so I'm a proven threat. 8^) Thanks, rCs -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]
So, how can we edit current basic programming college books to present secure code, a couple of words of the correct way of doing things, and a whole new chapter on secure coding (which may be redudndent?) How do we start? Some Whiley book for introduction to CS? Any volunteers to get this on the road? Gadi. On Wed, 11 Oct 2006, Kenneth Van Wyk wrote: So here's a lovely statistic for the software community to hang its hat on: http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed Among other things, the article says, Atlanta-based ISS, which is being acquired by IBM, predicts there will be a 41 percent increase in confirmed security faults in software compared with 2005. That year, in its own turn, saw a 37 percent rise over 2004. Of course, the real losers in this are the software users, who have to deal with the never ending onslaught of bugs and patches from their vendors. We've just _got_ to do better, IMHO, and automating the patch process is not the answer. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
