Blue Boar wrote: To clarify, I'm talking about things like passing unfiltered user input to a system shell, or a native API, something like that. True. In the case of passing a user input string to the shell or a database server, you're accepting what's potential a program as input. However,
At 8:10 PM -0400 6/29/04, James Walden wrote: While there are non-university classes and workshops that teach software security, I doubt that a majority of developers have attended even one such class. Software security has to be integrated into the CS curriculum before we can expect a
Gee, Some of us have been saying that for 40 years.
James Walden wrote: I'd like to open a discussion based on this quote from Marcus Ranum's ACM Queue article entitled Security: The root of the problem: Thanks. I also read Marcus's article with interest. Caveat: clearly, I have a biased outlook, since software security training is one of the
Kenneth R. van Wyk wrote: Overall, I like and agree with much of what Marcus said in the article. I don't, however, believe that we can count on completely putting security below the radar for developers. Having strong languages, compilers, and run-time environments that actively look out for
If the state of the art in automobile design had progressed as fast as the state of the art of secure programming - we'd all still be driving Model T's. Consider- - System Development Methods have not solved the (security) problem - though we've certainly gone through lots of them. -