Hosting Provided By

Re: Writing Secure code[update]

From: Rahul Chander Kashyap <rahul(at)nsecure.net>
Date: Tue Dec 31 2002 - 05:20:17 EST

Hi people,
First of all i'm thankful to all for responding to my query. Well this shows one thing for sure..we share similar concerns :-) Actually i'm quite surprised that no one as yet has said that yes! we follow some standards to <or rather attempt to>make our coding more secure. So, how about directing our focus with a aim at reaching a methodology/conclusion as to what can be done (by us + others) to say bring up some ideas of some kind of a standard/practice which aims at following certain guidelines to be taken at the design stage of any software development process that could help us prevent the code getting exploited.(If something like this already exists please do let me know..this shall save a lot of time!).
yes there are books..i agree but then if we follow something as a standard i'm sure that it shall be more universally accepted and we also cud improve on those!
These practices cud also be platform dependent. I wud like to add here that Yes! i agree with all those who say that what if the OS itself is to blame,the libraries are buggy,etc.etc..But from our/the developer point of view shudn't we have a practice that shud be adhered to?? (Say this could start from as simple a thing like ONLY using checked functions like strncpy() instead of strcpy.)

And yes let us not focus on the *buggy* aspect of the code because out here we're trying to make sure that what we've written is not exploitable due to *holes* left by the coder. Someone put it very well :

Reliable: something that does everything it is specified to do.
- Secure : something that does everything it is specified to do..and nothing else. I agree that there is a very thin line between the two ;-) please do let me know what u people feel of this proposal. I'm open to forming a group (if required) and doing some kind of research on this aspect. I too believe that *absolute security is a myth*, but i do believe in taking some steps so as to reach as close as possible to say *high grade security!* :o) Any takers on this???

Have a fabulous new year!
Regards,

Rahul C. Kashyap
Software Developer
www.nsecure.net

Layered Defence

Received on Tue Dec 31 12:52:55 2002

This message: [ Message body ]
Next message: Michael Howard: "RE: Writing Secure code[update]"
Previous message: Frederic Raynal: "Re: Preventing ptrace()"
In reply to: Matt McClellan: "RE: Writing Secure code"
Next in thread: Crispin Cowan: "Re: Writing Secure code[update]"
Reply: Crispin Cowan: "Re: Writing Secure code[update]"
Reply: K K Mookhey: "Re: Writing Secure code[update]"
Reply: Michael Howard: "RE: Writing Secure code[update]"
Reply: charles lindsay: "RE:Writing Secure code[update]"
Reply: David Wheeler: "Standards for developing secure software"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:44 EDT