Standards for developing secure software

From: David Wheeler (dwheeler@ida.org)
Date: 01/02/03

  • Next message: Alex Russell: "Re: Writing Secure code[update]" 
    Date: Thu, 02 Jan 2003 11:02:30 -0500
From: David Wheeler <dwheeler@ida.org>
To: secprog@securityfocus.com

    Rahul Chander Kashyap <rahul@nsecure.net> said:
    >>So, how about directing our focus with a aim at reaching ...
    >>some kind of a standard/practice which aims at following
    >>certain guidelines to be taken at the design stage of any software
    >>development process ...
    >>yes there are books..i agree but then if we follow something as a standard
    >>i'm sure that it shall be more universally accepted and we also cud improve
    >>on those! ...
    >>But from our/the
    >>developer point of view shudn't we have a practice that shud be adhered to??
    >>(Say this could start from as simple a thing like ONLY using checked
    >>functions like strncpy() instead of strcpy.)

    I'm a strong supporter of useful standards, but the emphasis has to be on
    "useful". For example, you can have perfectly insecure code using strncpy().
    See my book for why that's so. Cookie cutters don't work well here.

    A standard "guidance" document could be useful; the existing books could

    be used as a starting point. But it requires much more text - it's not just

    "don't use function X, use function Y".

    But if you really want secure code, the MOST important thing is to
    get developers trained in how to write secure programs.
    The basic problem isn't that we need better books or guidance.

    The problem is that developers don't grok _ANY_ of the books.

    In short, you only need one meta-practice: if you're a developer, you
    MUST sit down and learn how to write secure code. Period.
    Lots of other things can help (e.g., languages/libraries with fewer
    "sharp edges", processes, tools, etc.) - but they will _all_ fail badly if
    developers don't know how to do the job.

    I half-seriously think we should shut down every CS or Software Engineering
    department that doesn't devote at least two hours to the subject of how to
    develop your own secure software. NOT "how the DES algorithm/Kerberos/IPSec/
    firewalls work". Because, in the real world, people don't re-write DES - they
    implement their own code, and tend to make the same mistakes as everyone
    else did before them. Now that the Internet is ubiquitous, EVERY developer
    has to write secure code at some time - it's a result of being interconnected.

    Grab any of the books I mentioned (mine, Howard's, Viega's) and use that
    as a resource. Talk through the S&S principles, walk through the most
    common types of vulnerabilities in real programs and how to avoid them.

    In one hour a developer can learn enough to avoid 99% of the mistakes
    currently being made. I've done this many times. You can even download
    my 1-hour talk and slides for free from:
      http://www.dwheeler.com/secure-programs

    It's criminal that we can't figure out how to get that 1-2 hours.

    --- David A. Wheeler

    Relevant Pages

    • What it is subreal.PIN v1.0.1.18?
      ... Thereby, created in temporary project a code, can be used with standard ... for the users of products of developer. ... Fixed error ...  Corrected parameters in RLink.DocumentSelect. ...
      (borland.public.delphi.thirdpartytools.general)
    • Re: Is VB.NET dead?
      ... This month's Redmond Developer magazine states VB.NET will continue to be ... you did a wonderful job in making VB.NET a full fledged language, ... I bought five WCF books in the last months, ... I even have a book by Chris Sells (Programming Windows Forms 2.0) who ...
      (microsoft.public.dotnet.general)
    • Re: Which Doc to Read - 10g or 9i ?
      ... it ought to be obvious why a developer ... There will also be plenty of things you won't find in the books mentioned ... "So can I learn from the manuals. ... available and people figured it out themselves ought to be proof enough ...
      (comp.databases.oracle.server)
    • Re: Will Delphi Personal be dropped?
      ... it was already dropped for D7 when they stopped the download. ... It seems Borland is trying to turn away from the small developer, ... development-- if they don't have standard editions to cut their teeth ... and when they finally get hired at professional development ...
      (borland.public.delphi.non-technical)
    • Re: The infamous DataSet.Merge command...
      ... Graeme Malcom (70% of those are Microsoft press books). ... Some of the MSDN documention on Merging datasets ... Merge is supposed to be a developer tool, ...
      (microsoft.public.dotnet.framework.adonet)