Re: [fw-wiz] FWTK and smap/smapd

From: Anton J Aylward, CISSP (aja@si.on.ca)
Date: 07/19/02 

From: "Anton J Aylward, CISSP" <aja@si.on.ca>
To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Fri Jul 19 12:49:01 2002

On Fri, 2002-07-19 at 10:24, Marcus J. Ranum wrote:
> Joseph S D Yao wrote:
> >without
> >commentary providing what you might call the specifications or design,
> >or the social contract between the programmer and the user, there is
> >nothing against which you can hold a piece of code and say, "THIS IS
> >WRONG!" Code is amoral; it has an inherently situational ethic; such
> >that even the grossest of buffer overflows can only lead us to conclude
> >that the code does it, therefore the code does it. We must provide and
> >communicate the moral absolutes against which the code is measured
> >right or wrong. And we can communicate this on dead trees, or in
> >living commentary.
>
> Hmmm... you've convinced me. I hadn't looked at it from that
> angle before.
>
> [snip]
 
> But you're right - what we're really talking about is checks and
> balances. And if you just give code there's, well, just code...
> I retract my previous comments on this topic!!! :) Where's the "undo"
> button?!

Sorry for including so much.
Yes, and this is one of my objections to much of the Open Source
community, including such companies as XIMIAN and the OpenOffice.org
group although I shouldn't pick on them. In many ways the "Open Source"
arguments against closed source are pure hypocrisy.

Code is just code. Big deal. Having the source code only tells you
what the source code is. As Joseph points out, it doesn't tell you why
it does what it does, if it should do what it does or anything.

This takes more than just comments, it takes more than just the
specification. It requires knowing the design DECISIONS. Why was it
does this way? Why was this specified?

One of the prime tenets of security is to have policies, since without
policies there is no coherence, everything is just an arbitrary - even
if well minded (but also uninformed) - decision made at the time. At
another time the same person or someone else might make a different
decisions. I won't belabor this point since every decent book on
security makes it clear.

So too with code. But a specification is not like a security policy -
it doesn't explain the WHY only the WHAT. The "social context" is
needed to give meaning to this "amoral code".

And just to do the CYA bit: "get it out the door quickly and make a
profit" does not constitute adequate meaning or be adequate context.

/anton 

--
Hardware has grown following Moore's Law, 
software seems to be stuck with Gresham's Law.
  -Jim Horning, Inside Risks 
         133 CACM 44, 7, July 2001