2/20/04

Secure Coding? Of Course.

Andy Briney, in his February Information Security Magazine [NOTE: Searchsecurity no longer keeps old archives. This takes you to iranscience.net.] column, called "Secure Coding? Bah!", makes the claim that while we may ask for secure software, it is "Not gonna happen." He sees pursuing secure programming as "totally impractical."

Of course, he's wrong, though not completely. He correctly talks about incentives. But then makes a jump to suggest that there is no money to research how to accomplish this. Also, he says, this is a very complex and specialized problem.

Research is not needed. Use of proper tools and programming languages is. Tools exist to tighten up code and find possible problems. Also, it is not specialized. Poorly written software crashes all the time. We are used to it. But, it is not unique to security. Sometimes a buffer overflow results in a system hang. Other times it allows an exploit.

While I disagree with his claim that "Secure coding is yet another silver bullet," I agree that "Risk reduction is all about reducing vulnerabilities, mitigating threats and lowering event costs." Andy doesn't believe that secure coding is part of the solution, except theoretically. I believe it can be.

Check out his column at the above-cited URL and look for discussions elsewhere on it at seclists.org, or by using your favorite search engine and looking for the title of his column.

No comments: