Hangout for experimental confirmation and demonstration of software, computing, and networking. The exercises don't always work out. The professor is a bumbler and the laboratory assistant is a skanky dufus.

Recent Items
 
The Future of Software Tools
 
It's You? Ping You're It!
 
Self-Publishing Boxed Sets
 
How SCO Changed Our Awareness
 
Uh Oh: Time to Refresh Java
 
Open Source: Shrinking the Trust Surface
 
Open-Source: How Trustworthy, How Secure?
 
Trustworthy Software Security: How Do We Get There From Here?
 
Zombie Planet: Spam and Phish Egg Harvesting
 
Lost in Twisty Overlays All the Same: Peer Pressure

Archives
2004-06-13
2004-06-20
2004-06-27
2004-08-29
2004-09-05
2004-09-12
2004-09-19
2004-10-10
2004-10-24
2004-11-07
2004-11-28
2004-12-05
2004-12-12

Perfecting Secure Coding

Dana Epp's ramblings at the Sanctuary : Secure Coding - We can't stop trying.  2004-11-13: Dana Epp makes a number of contributions to an appreciation of secure coding.

The first is that "information security is about risk mitigation, not risk avoidance."

The second is that we should be dealing with attack-pattern types.  There are common patterns in the variety of attacks, and developers should be aware of those patterns,

The third consideration that Dana raises is about how vulnerabilities can be obscured by the use of higher-level tools that obscure what is going on.  Dana refered to higher-level languages, but I think there is far more to it beyond the confines of a given language.  I think this is a very big deal.

The fourth consideration is out beyond the code.  Dana has in mind Microsoft's SD3+C concept:  "Secure by Design, Secure by Default, and Secure in Deployment." [The "+C" is for "Communications" and I am not sure how that is supposed to be parsed in conjunction with the preceding list ];<).  Michael Howard has a video on the topic where he speaks about communicating the secure way of doing things, whether sample code or otherwise, and being proactive in communicating security and having customers be aware of security ramifications.

Dana argues that we must "reduce, redirect or eliminate the impacts of attacks," and apply that to configuration, deployment, and design.  In short, look out over the entire lifecycle of a secure product where it is situated for use.

Finally, Dana mentions the SCL list, so now I am going to have to find out what that is!

Eureka!  I know how November 30 was turned into November 31.  (Look ahead to December 1 to see what I am talking about.)  When you have used one of those idiot list boxes for numbers like 0 to 59 (duh?) or 1 to 12, if the selection stays there, you can end up manipulating it the next time you use the mouse scroll wheel.  This apparently happened on returning from the preview of this entry, somehow, except I was on the alert for it.  (Lord, I do hate browser-based applications, I really do.)

posted by orcmid at 11/30/2004 03:18:37 PM, rating data by NewsGator Online