AOA Forums AOA Forums AOA Forums Folding For Team 45 AOA Files Home Front Page Become an AOA Subscriber! UserCP Calendar Memberlist FAQ Search Forum Home

Go Back   AOA Forums > Software > Data Security

Data Security Viruses, Firewalls and Safe computing

LinkBack Thread Tools Rate Thread
  #1 (permalink)  
Old 16th June, 2010, 06:31 PM
Daniel ~'s Avatar
Chief BBS Administrator
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,606

Why Can't Johnny Develop Secure Software?

Security experts agree that there's something wrong with the software development process, but there are differing opinions on how to solve the problem

It's another day in the life of a security pro -- or a hacker. Much of your time is spent searching applications for that one weak point, the one that will lead to the breach of sensitive data. And nearly every day, somebody finds one. Or more.

[Front page...]
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

Subscribers! Ask Pitch about a Custom Sig Graphic

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 17th June, 2010, 05:23 AM
Gizmo's Avatar
Chief BBS Administrator
BassTeroids Champion, Global Player Champion, Aim & Fire Champion, Puzzle Maniax Champion, Othello Champion, Canyon Glider Champion, Unicycle Challenge Champion, YetiSports 9: Final Spit Champion, Zed Champion
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

This article strikes a glancing blow at what, I feel, is the heart of the problem.

In the article, they make note of the fact that most programmers have no interest in secure programming methods and techniques. They say that this is partly due to the fact that programmers are 'builders and artists' and thus have no interest in security. They also observe that because programmers are under deadlines, anything that doesn't have to be done doesn't get done. Finally, they observe that companies have built application development frameworks to facilitate secure software development, but these frameworks and the management and development processes they require are frequently very expensive.

All of these arguments are rubbish, IMO.

Let's look at the 'builders and artists' comment first (and actually, this is directly applicable to the 'deadlines' argument as well). Any of you know an architect, an artist, a musician? What separates the good ones from the mediocre ones? Without exception, in my experience, it is the fact that they have a vision of what it is they want to create, and they will accept no compromises; no shortcuts; no inferior materials; most importantly, no inferior workmanship. Good art uses only the minimum necessary to achieve the desired outcome, but it uses ALL of what it has available to maximum effect; thus there can be no compromises on the quality of the components or workmanship.

I have opined before that writing good software is as much art as it is science, and I believe that to be true. The good programmers; the people who turn out good quality code time after time after time have the same attitude that good artists, musicians, and architects do. It's got to be right, or they won't put their name to it. I believe this is true of ANY professional who actually cares about their craft.

Finally, the argument about the cost of the secure development frameworks. This actually has a grain of truth to it; using secure frameworks is frequently VERY expensive. The main reason for that (IMO) is because it proceeds from the notion that secure software can be produced if only we use languages that don't allow certain features, or that don't do certain things.

That simply isn't true. I will bet serious money that I can take the most robust secure software development environment in existence, and write code that has security holes in it.

The notion that all you have to do is use secure development tools and processes and you can create secure software is as fatally flawed as the notion that you can turn someone loose with all the latest power tools and they can build the perfect house.

IMO, the reason Johnny can't develop secure software is because Johnny, on average, simply doesn't care. Most of the software I see is utter garbage that barely runs, and the only reason it runs AT ALL is because we have created software development tools that actually are too good. The tools have progressed to the point that any trained monkey can write an app and stand a pretty fair chance of having that app work. Unfortunately, we haven't really asked the question of whether or no we really want trained monkeys writing apps.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads
Thread Thread Starter Forum Replies Last Post
Wii will develop surgical skills Daniel ~ GAMES! OH YEAH! 0 8th August, 2008 06:34 PM
Little Johnny. robbie Mookydooky's Just for laughs! 2 3rd May, 2008 02:04 PM
Here issssssss Johnny Strongwolf Random Nonsense! 3 3rd November, 2006 02:52 AM
'nother little Johnny joke... Betty Mookydooky's Just for laughs! 0 22nd August, 2002 06:25 PM
SSL (secure socket layer/secure server) Question Nix Random Nonsense! 2 18th November, 2001 05:58 AM

All times are GMT +1. The time now is 11:30 PM.

Copyright ©2001 - 2010, AOA Forums
Don't Click Here Don't Click Here Either

Search Engine Friendly URLs by vBSEO 3.3.0