| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Jul 2006 17:43:51 +1000 (Australia/ACT) From: Darren Reed <avalon@...igula.anu.edu.au> To: beck@...h.cns.ualberta.ca (Bob Beck) Cc: bugtraq@...urityfocus.com Subject: Re: LAMP vs Microsoft In some mail from Bob Beck, sie said: > > > the people who use the platform to develop on top of. If the > > foundations of what you're using are insecure, then the web > > developer has a harder task. > > I disagree. I think most modern computing platforms start > out as "secure" within their limitations if you understand them. > It's code written for them that is the problem, plain and simple. Ok, let me give you a simple example of where I believe the foundations are insecure - string handling in PHP. Why doesn't PHP make all strings "safe" when passing them to external programs? If it's not a problem for php, does it mean the HTTP or HTML specs need to be changed such that definition of data when it is passed out to CGIs. > The more complexity you add what you implement on top of a platform, > the more bugs you add in the implementation, and the more opportunity > for people not to understand the side effects. But I expect to see a > great market for people reinventing the wheel for people who don't > understand that life is pain, and anyone who says otherwise is selling > something. In your opinion. You make it sound like we have the perfect wheel now - we don't and nobody I know thinks we do. If we did have the perfect wheel then there would be no security vulnerabilities. So the wheel will be reinvented and perhaps multiple times, quite necessarily. I'd almost be tempted to say that software engineering is in a rut and it doesn't know how to get out of it yet. > Oh, and since you mention it, I doubt anyone the OpenBSD mob would > disagree with what I'm saying, or that I would care if they did. > Unlike the corporate world there are still some free projects that > allow for participants to speak their mind freely and not toe the > party line. I'm not towing the party line, rather pointing out what different groups do in order to achieve better results in terms of software quality. My apologies if you confused this with an attempt to sell something. Unfortuantely they are the only two that come to mind but my exposure is quite limited. I'd be more than happy to hear of what other projects do in this area, if you'd like to mention some. My comments and their relevance to open source are limited by my experience. If I had more experience that suggested other projects did more for software QA, I'd have cited that too. > Of course, I haven't yet asked what you're selling. Sounds > to me like it's another effort to convince the unwitting that life > isn't pain and blow SuNshine up their posteriors. If you've got a point to make, make it and leave the insults at home. I'm interested in making software more secure and making the tools we use more secure. Part of that should be improving the process to engineer software. While Microsoft can hire the likes of ISS and others to do this, for open source projects we need to discuss and understand what groups do, think about it and think about how we can apply that model (or part of it) to what they do. This requires disclosing what others do. Now if you'd like to go live in your comfortable hole where all software is by default insecure and we can't do much except wait for exploits to find those bugs, feel free to sit and stay there, but please don't criticise others for wanting a better solution and discussing what people do to try and achieve that (even if you think they're striving for a pot of gold at the end of a rainbow.) Darren
Powered by blists - more mailing lists