The Peon's Guide To Secure System Development 347
libertynews writes "Michael Bacarella has written an article on coding and security. He starts out by saying 'Increasingly incompetent developers are creeping their way into important projects. Considering that most good programmers are pretty bad at security, bad programmers with roles in important projects are guaranteed to doom the world to oblivion.' It is well worth the time to read it."
Bad Programmers == Shitty Salary (Score:2, Insightful)
They're just paying for what they get. I tend to believe that its not so much bad programmers as it is a general apathetic attitude that good programmers have now. If there's no incentive to bust your balls, you're not going to!
It wont matter much (Score:5, Insightful)
until you can get the COMPANY liable for their software claims. and make their claims open and public, not buried in legalease.. I.E. if you dont want to be liable for it not working then the packaging must state "MIGHT NOT WORK" on the front in big letters.
until then it will not change... not in commercial software anyways...
Useless advice? (Score:3, Insightful)
?????
While I have taken this out of context, its not worthwhile to dispense with systems coding issues - thats exactly where most security problems start and need to be stopped. Anyone can be safe in a sandbox.
bad coders (Score:2, Insightful)
You get what you measure (Score:5, Insightful)
I used to work at a software house, and I noticed our code always adapted to whatever the organization cared about. When they cared about timeliness, we gave it to them, but the bug count went up. When they cared about a low defect rate, we gave it to them, but the volume of code (completed feature set) went down. When they cared about maintainability too, they got that, but app performance suffered.
Most competent programmers can probably make meaningful conributions to secure apps, especially if the efforts are led by good architects. Not everyone has to be the best. The only thing is, whoever is commissioning the software has to rank security (which includes a low defect rate) above timeliness and feature count. If that's done, most programmers can rise to the challenge.
Don't blame the programers. They're just adapting to their environment. They do have to put food on the table after all, so they'll do what their companies value.
What hubris. (Score:5, Insightful)
With such trenchant insights as "Don't use C/C++"! "Don't use Windows!" "Watch out for user input"!.
Wow. How truly insightful. I'm not even going to bother pointing out the utter absurdity of claiming that using or not using C/C++ has anything to do with it, or the added security problems with using high level languages (do you trust the implementation?).
I'm just going to say I've had bloody poops with more useful information in them than this article.
It should be a acrime to teach C/C++ (Score:5, Insightful)
Re:bad coders... (Score:2, Insightful)
If the people care about security now, you can bet the companies that succeed over the next decade will be the ones that satisfy that demand.
Wrong approach (Score:5, Insightful)
This guy is a little rough I think.
High level languages like Ruby, Python, or even Java are strongly recommended for all new projects.
This sentence should be continued "..for mediocre programmers.". Professional experts should use whatever language they are best at as long as it's reasonable for the project.
This article looks like he's giving advice on how to take a group of wanna-be progammers and try and get useful results from them. I think that's the wrong approach. What you should do is hire real experts. That way all the wanna-be programmers won't be able to get jobs and so they might realize "hmm.. maybe I should go back to school and get some real skills". Then we wont have as many of the problems that this guy talks about. Though maybe the schools aren't teaching the skills properly, but that's a different topic.
Everyone has to start somewhere. (Score:5, Insightful)
I was a shitty programmer out of college and after moving between various jobs I learned along the way.
Business works by getting the most for the least amount of cash. Unfortunately most businesses don't have competent managers that can tell the difference between anything applicable in the real world and a buzz word they just read on CNet (most technical conversations are over their heads). That is my experience anyway.
Re:Engineers (again...sorry) (Score:2, Insightful)
High level languages (Score:2, Insightful)
All of these languages use a C program to
run.(interperter, VM).
First this guy suggest against useing
close source components are components
that you do not understand.
Well, what are these high level languages that
he is suggesting. There just a convinent
ways to write C. (Java excluded)
Maybe he thinks that you should read through
the ruby and python source before you
start using these languages?
I think he's suggestion is the reason
we have bloated unsecure software,
everyone trust that there languages
is in a little black box just because
it has a VM. What if the VM has a security
flaw, isn't this just like running a
secure program on top of windows.
Just keeping a developer from using pointers
is no way to insure a projects security.
We Need To Consider 1980s DOD Practices (Score:5, Insightful)
Don't use the latest and greatest. Use something that has been in production for several years and has had the bugs worked out. The military used to do this on critical systems. Did I hate coding in Jovial on a machine that only had 64K? Yes. But I also knew the machine inside and out and had hand-checked the compiler's assembly code generation to make sure that it wasn't doing silly things. It didn't, because 5 years in production had wrung out all of the bugs.
Just what we need... (Score:5, Insightful)
salt on the glass.... Big grains of salt! (Score:2, Insightful)
I hate to break it to this guy, but this article is basically a big rant of his personal opinions. Not that I have anything against that, but I feel anyone heeding this person's advice unerringly would be making just as big a mistake as if they didn't listen to any of his advice.
Open-source, closed-source, it doesn't goddamn matter. The fact is, code is written by humans, and is therefore imperfect. Realize that now and save yourself a lot of time. Open-source continues to have just as many flaws in it as closed-source. How many times has the bind package been updated in recent memory? And don't start the "many eyes" thing again, we all know it and we're all tired of it, and I realize open source gets fixed faster.
My point is, when I first got into Linux, I took a default install of Red Hat and threw it on there. I had read all sorts of advice that if I wanted a secure server, I should use *nix, so I did. Yeah... rooted. Rebuilt the box, using a way newer distro... rooted. My failing was trusting the code implicity based on what other people said. Old versions of open source stuff are just as vulnerable as old versions of closed source stuff! And you know what? I guarantee that this will always continue to be true.
Constant vigilance is your only safe-guard. The open-source/closed-source argument is secondary to this. If you can build, deploy and maintain a closed-source based system much easier/cheaper/faster than an open-source one, well, balance that against your security requirements.
Re:Engineers (again...sorry) (Score:2, Insightful)
You can say the same thing for a bridge. It will only stand if all the parts of construction are good, which the developer (not the engineer) are in control of. If the design is inherently flawed, the engineering firm will liable. If the construction is flawed, the developer is liable.
The difference between software and your analogy is that the engineer/developer has complete control over the whole system. Developers don't. Microsoft doesn't. If the user of that same bridge goes and replaces all the rivets used, the developer can hardly be blamed when the bridge fails because of this.
If I build a huge structure right in the middle, and you build another, and CowboyNeal builds a third, much smaller building, and suddenly the bridge collapses, whose fault is that? The bridge developer? Me for starting the trend? CowboyNeal even though his was the smallest?
and then when we bring security into play, that is a whole different ball game. The engineer doesn't have to worry about people activly trying to make his bridge fail. If someone (say a tterrorist) plants shaped charges to destroy the main supports, and the bridge collapses under its own weight, no one would even think about sueing the engineer (except for maybe the lady that dumped coffee in her own lap, and somehow thought McDonalds was at fault).
In software systems we rely on everyone else to be well behaved. We also rely on the combination of everyone elses systems not interfering with our systems in unexpected ways. A system of mine could run fine without a single crash. A system of yours could run without a single crash. Together they might get spurious crashes. I have never had a crash on a fresh install of Windows while playing Freecell before I install anything else.
The same idea of liability can't be applied to software systems.
Article missing key point (Score:5, Insightful)
Quality and security of a commercial software product is a financial decision, not a technical. Much like how software architecture is a strategic and not a technical decision, which many software developers do not realize.
When the cost of continuing to improve quality and security exceeds the income from support contracts, you have to draw the line. If you don't provide or charge for support, you draw the line when your investment exceeds your targeted income projections.
There are software products that are secure and virtually bug-free, but you and I can't afford them. They run nuclear plants, space shuttle command centers, etc etc. Hundreds of millions of dollars have been spent on that software, and it is not a question about "the user is evil". It's about having a thorough and mature development process and organization, preferable at CMM level [cmu.edu] 5.
So, I really don't know where the article would apply. Maybe when writing simple VB games for your website. Absolutely not when writing commercial grade software.
Who the f*ck is this guy, anyway? (Score:5, Insightful)
Qualifications?
Let's see...
Wow! Pretty exceptional, don't you think?
'bout the only thing going for the guy is he *doesn't* have a blog...
How the f*ck did this nonsense get put up on /. anyway?
What changed hands to get this deal done?
t_t_b
Re:Engineers (again...sorry) (Score:5, Insightful)
Because the customers don't want to pay the added cost of reliability beyond what they need. If you want absolutely, positively bulletproof software, you're going to have to pay a higher development cost (mostly in testing, but in extra liability insurance for the company too). For safety-critical applications, customers are willing (or should be willing anyway) to pay for the additional cost , but it's ridiculous to pay for it when you don't need to. Do some googling on the cost of the space shuttle software for instance...
Open Source = Broken Source (Score:2, Insightful)
Honestly, I applaud open source. I think it can be quite a boon to the rest of the world. However, I've definitely seen enough public code that looked like it was written by a wannabe compsci major. It's nice to see this topic discussed. Open source is a powerful tool, but without good management and high coding standards it's just broken source.
Re:Useless advice? (Score:5, Insightful)
You can tell the difference between a developer who gets it and one who doesn't because the developer who doesn't get it is content to build a custom system using closed source components that they cannot understand, let alone keep secure.
when he goes on to say that
High level languages are usually more secure than C/C++
High level languages are built on layers and layers of things written by other people, things that you know nothing about. If you use C or assemlber, you're much more likely to be in control of the security of your code.
I guess the comment about C/C++ is aimed at coders who suck more than average; they're certainly better of using code written by other people.
Programmers are overpaid as it is! (Score:3, Insightful)
However, these people who are no more qualified to write code than a third worlder with no previous formal schooling trained to be an H1B in a cert mill -- yet are paid much more, for no good reason.
If anything, regular programmers who would ever, for example, use PHP's fopen() for a proxy like the article described should be paid like H1Bs and school teachers -- about $35,000 a year, at the most.
However, the ones who really know their shit -- like Mr. Bacarella -- should be the ones making $100,000 a year or more.
Re:Who the f*ck is this guy, anyway? (Score:2, Insightful)
Quote:
It should be a crime to teach people C/C++.
Then further into the article:
Whenever possible, use industry standards. For example: POSIX, ANSI C, OpenGL, SQL, etc. Resist using non-standard extensions, if you must have them, keep them limited.
I feel for his clients. Slashdot blew it on this story.
Enjoy,
What are bad programmers always "the other guy"? (Score:2, Insightful)
But noooo. It's always "the other guy" and "the place I used to work", etc... Bah.
Re:You get what you measure (Score:4, Insightful)
Look at airbags in cars, the government doesn't mandate side impact airbags, but some manufacturers put them in anyway because it's a selling point that some of the customers care about.
Now, I'm sure someone is going to point out that maybe we should have gov't enforced minimum security standards. However, I'm skeptical that government would be capable of doing it sanely right now.
Re:Who the f*ck is this guy, anyway? (Score:3, Insightful)
It should be a crime _not_ to teach C/C++. (Score:5, Insightful)
It's also very hard with C/C++. The most you break on any system without very broken protection-handling is the faulty program itself.
The reason Java is taught as an introductory language is that it was stylish about 5 years ago. The reason C# is taught as an introductory language is that Microsoft threw a lot of money at universities to teach it, and at marketing to attempt to make it stylish.
It boggles my mind that people in second-year programming courses at my university don't know what a pointer is, because it wasn't covered in their first-year programming course (which used Java).
Languages with built-in safeguards are great, if that's your primary concern, but programming courses in university are supposed to teach you about all aspects of programming that you might reasonably encounter. If someone graduates without knowing how to debug memory errors and then has to maintain a C++ program, God help us all. This is also why we're forced to learn Lisp/Scheme and exposed to Fortran at some point - exposure to the concepts is what's important.
As far as what's used in industry is concerned, first likelihood is whatever the shop has used for the past several years (anything from VC++/VB down to Cobol, depending on where you're working), and second likelihood is whatever the industry fad was when upper management was setting up specifications.
That's great, but what about the real world? (Score:2, Insightful)
This is precisely why Java and C# SHOULDN'T be the primary teaching language at any serious institution. It doesn't just encourage bad habits in memory management, it breeds ignorance of the CONCEPT of memory management. I'm extremely glad I had a good background in C/C++ (and even some Pascal before those) before I ever learned Java or Python, or I wouldn't have a clue about half the concepts that a good C background forces you to learn.
Re:It should be a acrime to teach C/C++ (Score:2, Insightful)
IMO, this is part of the problem. Languages should not be taught. concepts should be taught,a nd those concepts will translate to any language. People are coming out of schools having only been taught in Java (C# / whatever) and have no concept of things like memory management, buffer overlows etc. These folks have never had to think about these issues before because they only wrote Java code in school. When these people get out into the industry, they will almost certainly have to maintain some code at some time that deals with issues like this. Sorry, but the world doesnt revolve around all of these high level languages yet. There is a lot of C/C++ code out there in the real world that will need to be maintained for many years to come. We haven't managed to kill off COBOL yet after all
Also, as others have mentioned, coding in these high-level languages can give you a false sense of security. Do you trust your Java implementation for example? Are you willing to say for certain that the JVM doesnt have any buffer overflows in it
Re:Just what we need... (Score:3, Insightful)
Is his point that people need to be more serious about security? Fine. But he's utterly unqualified to be giving technical advice or making technical judgements on a field he obviously knows nothing about (use Python, Ruby, or Java and never C++? I call buzzword bullshit bingo!) other than the vague general knowledge a "technologist" would have.
It's like me saying plastic surgery has become dangerous because there are so many quacks, and they all need to sharpen their scalpels and pay attention to sterility.
Crime to teach C/C++? (Score:4, Insightful)
Bull fucking shit.
It should be a crime to *start* students on a protected environment like Java. Programmers who start on Java begin with less understanding of what's going on, because it sweeps too much complexity under the carpet.
I realize this argument was made for assembler when C was introduced. BUT! There was a massive shift between assembler and C, which is why that argument is not valid.
C and Java both have pointers/references. They both have functions, etc. But Java's references are hidden from the user, and most students don't have a clue about a reference.
Asm. vs. C was a big difference, but Java and C++ share so much, but Java sweeps all that complexity under the carpet. If a programmer who's only used Java gets into a C++ project, he'll fsck it up so fast it'll make your head spin.
It should be a crime to teach Java as a beginners language. It's not a bad language, but under no circumstances could it conceivably be considered a beginner's tool.
Not only that (Score:3, Insightful)
Real verified reliable design are, by necessity, very unflexable. You have to verify all the components and make sure they work together to insure that one won't cause problems. You then can't change the components, with out reverfing.
This just doesn't work for a desktop, where the user expects to be able to operate the system as they desire. that means that peopel can, and will, find combinations of software adn hardware that will fail. Hence, a software company can't gaurentee reliability in that situation.
Re:High level languages (Score:3, Insightful)
For example, try Common Lisp [cons.org], Objective Caml [ocaml.org] or Ada [gnat.com] (not that high-level, but not the worst idea if you care about security).
er, client / server (Score:3, Insightful)
Tell me, what is the compelling business reason for using windows that prevents me from using anything else in a corporate environment?
There is only one answer (or is it three?):
"Fear, Uncertainty and Doubt"
And that's one feature we can all do without!
Make up your mind? (Score:2, Insightful)
Re:High level languages (Score:3, Insightful)
Using a high level language is the best kind of software reuse. The reason behind this is simple, chances are good that you are never going to be as talented as Guido van Rossum or Larry Wall. Nor will your data structures get as many eye balls examining them as Python lists or Perl arrays. Borrowing the work of the hackers that created some of these languages only makes sense.
Now, I am not saying that these programs don't have bugs, because they do, but I would bet that they have less bugs than anything you have ever written. So while using high level languages doesn't insure security, it certainly does help.
Very short on answers. (Score:1, Insightful)
If the "adjustments" are so "simple," why didn't the author bother to explain a few of them? Porting a large project from C++ to Java is usually not an option. Replacing Windows with some other platform is usually not an option. And using a lot of foul language doesn't do a thing to explain the matter or increase the security of anything.
My guess is that this guy is working on a project or projects with lots of security holes, and he has written this "article" so that he can point to it later and say "See! I told you so!"
The Humans (Score:2, Insightful)
Re:Engineers (again...sorry) (Score:2, Insightful)
Yet plenty of people study >x years in University and don't get a P.Eng, yet suddenly they find barriers to their professions by arbitrary membership rules. If a professional engineering designation is a signal of education, then isn't that amply filled by existing programs?
And since you are in Ontario, which is where I got my engineering degree you should know that money is not the issue to getting an education.
No, but it's job mobility. John pursued advanced computer monkeyology and then became an expert software developer in the field of Monkeyology. Jim went through and become a "P.Eng in Computer Software", knows nothing about Monkeyology, but you're saying that John should be barred from writing software as Jim is certified? _BS_ It is a barrier of job mobility specifically to maintain exclusivity for its members. The P.Eng is trying to get its greedy hands into software development (as a mandatory element of software development, rather than a "marketforce" certification much like an MCSE or Cisco certificate), and they won't have a chance in hell.
Also engineering certification does not mean quality. It means that you studied so many years and have gone through specific procedures. Just like police people and fire people. Some police people are good and some are baffoons, but regardless you know that they have gone through police trainning....
Total agree with you here (and it's common for any certification/degree/diploma), but then you say...
You just need enough engineers to sign off legally on designs
Now that's just offensive. So we have some people who have joined the exclusive club, and now they have special rights and responsibilities to look over us common folks? I have known a couple of P.Eng's who were the dumbest (literally), laziest people I've had the displeasure of meeting (note that I'm not saying that all P.Engs are. Indeed, the same group includes some of the most honourable and brilliant. My point is that the membership in and of itself means exceedingly little), but suddenly these people are a signing force for a passport? How ridiculous is that. Don't tell me about the great responsibility they take by signing something, as the same holds true for ALL OF US: We all can have careers ruined, lawsuits, criminal complaints, etc, if we sign off on something negligent, incompetently, etc.
Re:er, client / server (Score:2, Insightful)
Security: Misunderstood responsibility? (Score:5, Insightful)
I don't necessarily accept this assumption. Most good programmers are good at coding up the design and requirements they've been given. The customer/architect/business analyst/technical lead needs to identify security requirements before they can be coded. It's very expensive to leave identifying security requirements to programmers. Not every project has the same needs. Sure, the programmer could guess. But each programmer on the project would end up spending a different amount of time and money on the security aspect if it's not clearly prioritized.
Likewise, if security requirements are not specified well enough, a security test-plan cannot be written or executed. If you need security, ensure it's somebody's explicit JOB on the project to ensure security gets into the design & QA.
Security costs money before a single line of code is written. Decide how much you need, where it's to be applied, and ensure it becomes a critical requirement through coding and testing. You can't expect security to just "happen" simply by hiring some "good programmers" as the author says.
Its all about the benjamins (now at least...) (Score:3, Insightful)
Re:things can be done with its credentials - nop (Score:3, Insightful)