lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: coderman at charter.net (coderman)
Subject: Coding securely, was Linux (in)security

Paul Schmehl wrote:

> If the input is *known* or has already been validated, why would you 
> need to check it?  My point is, if you can't know what the input will 
> be, you *must* check it.  The problem is that many programmers don't 
> think like hackers.  They write code as if every user will input the 
> correct data because, after all, they're trying to use it, not abuse it.
>
> That, of course, fails with the first person who types something 
> incorrectly on the keyboard (intentionally or unintentionally) or when 
> the input from some device is different than what the programmer 
> thought it could ever be (for whatever reason.) 

Secure programming requires additional skill and focus during design, 
development, testing and configuration.  Ultimately the market decides 
winners in the software space, and everyone needs to see security as a 
feature worth paying more for, in terms of employees designing and 
building the systems, to QA testers performing thorough audits before 
deployment to users comparing choices in the corporate or consumer 
software space.

I think the software market (consumers and producers) are equaly 
responsible for the state of security - it costs more time and money and 
skill to build secure systems: are people paying more for the secure 
alternatives on the market? do people make a thorough effort to address 
security before purchase?  Until the answer is yes, the current method 
will remain the market leader.  Those that ignore security (to the 
extent they can) will come to market faster and cheaper than their more 
secure alternatives.

[ i'm also conviently ignoring monopoly considerations, etc ]


Security is a hard problem, and somehow we need to make it coherent and 
valuable in the eyes of everyone involved.  (I don't have the answer, 
and its certainly not just a software problem)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ