Professor von Clueless in the Blunder Dome: Security is a Programming Problem?

	Professor von Clueless in the Blunder Dome	status privacy contact
Hangout for experimental confirmation and demonstration of software, computing, and networking. The exercises don't always work out. The professor is a bumbler and the laboratory assistant is a skanky dufus. Atom Feed Associated Blogs Edge City Numbering Peano Orcmid's Lair Praxis101 Spanner Wingnut's Muddleware Lab Recent Items Ending the Madness: Deja Triple Vu Your%20Message%20Here Just Ducky, Simply Ducky. And You? All Clear: End of Test #1 Why Learn Assembly Language Linking the Atom Feeds Button, Button, Where's the Update? Do We Have a Firewall or a Development Web? Attack of the Naughty Bees What Do You Do When Security Software Cocks-It-Up? Archives 2004-06-13 2004-06-20 2004-06-27 2004-08-29 2004-09-05 2004-09-12 2004-09-19 2004-10-10 2004-10-24 2004-11-07 2004-11-28 2004-12-05 2004-12-12	Wednesday, September 01, 2004 Security is a Programming Problem? ACM Queue: Why is it we can't seem to produce secure, high-quality code? This article in ACM Queue managed to be slash-dotted. I can see why. Author Marcus Ranum claims that security is a programming problem. I beg to differ. Bugs and security vulnerabilities are not the same thing. It seems to be part of the magical thinking around computer-based systems that if we could just get the software right, problems with security would vanish. I have no objection to getting the software right (or way better, at least). But seeing elimination of bugs as the silver bullet of security strikes me as near-delusional. It's also the hard way of getting to improved security. Think of all the bugs and related defects that don't create openings for exploits. And consider that serious problems like spam, while exacerbated by exploits, don't depend on hidden defects by which programs fail to meet the measurable requirements set for them. It is not about programming. It is often about system engineering, operations management, and business practice. It is a mystery for me what value is found in scapegoating programming. The marvel of it all is that software developers (want to) believe it too. Why? What is it we want so badly to be distracted from that we buy into this? posted by orcmid at 9/1/2004 11:58:13 PM, rating data by NewsGator Online *Comments:* Post a Comment

You are navigating the Blunder Dome

template created 2004-06-17-20:01 -0700 (pdt) by orcmid
$$Author: Orcmid $
$$Date: 05-01-22 13:41 $
$$Revision: 3 $