Re: secprog Digest 18 Nov 2002 18:35:57 -0000 Issue 113

From: George Capehart (gwc@capehassoc.com)
Date: 11/23/02

  • Next message: Ben Laurie: "Re: SHA-1 vs. triple-DES for password encryption?"
    Date: Fri, 22 Nov 2002 19:17:07 -0500
    From: George Capehart <gwc@capehassoc.com>
    To: David Wheeler <dwheeler@ida.org>
    
    

    David Wheeler wrote:
    >
    > > Before the rest of my response, I'd like to make clear that I believe
    > > that poor programmer education is one of the primary reasons we have
    > > so many vulnerabilities.
    >
    > I believe the _MOST_ important step to take today is to get
    > EVERY software developer trained in how to write secure applications.
    > It is _CRIMINAL_ that we still permit computer science and
    > software engineering graduates to graduate without knowing
    > the fundamentals on writing secure programs!

    <snip>

    I've bitten my tongue through the "bad developer library" thread on this
    list, but I can't stand it any longer. <rant> Seems to me there are
    several problems that contribute to the proliferation of insecure
    software. Certainly programmer ignorance is one. I agree 100%. Having
    said that, I really believe that if one of the criteria for hiring
    programmers was their ability to write secure code, the training
    institutions would graduate programmers who could write secure code. I
    have been in the industry a long time and have worked in and around many
    different organizations . . . from the very small to the very large. I
    have worked with/in software development firms, manufacturing companies,
    financial services organizations, county governments and everything in
    between. *Never once*, in the 21 years that I have been in the
    industry, have I heard a product manager, project manager or development
    manager place better over faster and/or cheaper. This translates out
    to: "To hell with doing it The Right Way (TM), get it done yesterday!
    Just get it working . . . we can fix it when somebody complains."

    At one of my venues, I was a project manager on one project that had
    just finished getting the requirements and was beginning the design
    phase when, one day in March, the business owner of the system came to
    me and said, "On June 1, I'm going to pull the plug on the old system.
    The new one had better be ready." The old system did order entry,
    invoicing, inventory management and shipping. We got it done . . . but,
    for the next four years I had two people full time with their fingers in
    the dike, fixing bugs and "enhancing" functionality to make the system
    run.

    At another venue, I was the technology program manager on a project to
    start up a Web site that did online financial transactions.
    Time-to-market was the only concern and the business owner of the system
    did not care about the risk he was assuming by pushing things on a fast
    track . . .

    Based on the preceding two paragraphs, it would be easy to "blame" the
    the "pointy haired managers" for not caring about the lack of security
    that their insistence on haste engenders. In the end, though, I believe
    it is the customer who ultimately defines the level of security that is
    built into systems. Customers get what they are willing to pay for.
    Educated customers who require top quality, secure products get them.
    Windows customers get what they deserve. Personally, I want to deliver
    the best possible product I can. There are many companies that do so.
    There *are* six-sigma companies. These companies operate in spaces in
    which their customers are educated and have a point of reference. What
    point of reference does the average Windows user have? Windows. What
    point of reference does the average pointy-haired manager have?
    Whomever yelled loudest at him. The rest of the argument is left as an
    exercise for the reader.

    So, is there any mystery that there is no emphasis on secure programming
    in the educational process? Who cares? The employers? Who is
    sophisticated enough to demand and recognize secure software when it
    bites them? Not the pointy-haired manager. Not the average Windows
    user . . .

    So, when will we see secure software? A) in the isolated shop that that
    takes a craftsman's pride in delivering a top quality product, and/or B)
    when consumers demand it. For now, I'm looking for A.
    </rant>

    gwc

    --
    George W. Capehart
    Capehart Associates LLC                         Phone:  +1 704.678.1660
    1604 Nottingham Drive				Fax:	+1 704.853.2624
    Gastonia, NC  28054
    "We did a risk management review.  We concluded that there was no risk
     of any management."  -- Dilbert