The Peon's Guide To Secure System Development 347
libertynews writes "Michael Bacarella has written an article on coding and security. He starts out by saying 'Increasingly incompetent developers are creeping their way into important projects. Considering that most good programmers are pretty bad at security, bad programmers with roles in important projects are guaranteed to doom the world to oblivion.' It is well worth the time to read it."
Re:bad coders... (Score:1, Interesting)
Eventually, the money men will be pushed aside and companies will once again start to focus on quality.
Disgruntled Professional Software Engineer
Engineers (again...sorry) (Score:5, Interesting)
If Microsoft's products are so good, why do they disclaim liability on it?
Of course it isn't just microsoft doing this either. The whole licensing thing. If a 'license' is supposted to give you the privledge to do or use something, then in most things you are completely liable for your actions. For example, I have a drivers license, I kill somebody it is my fault. If Acme's Nuclear Control Software 2002 goes faulty and blows up part of the states - they would probably claim no fault (bad example I know - special case currently probably).
If something like Windows plays any part at all .. (Score:5, Interesting)
A non-Windows system is not a guarantee of invulnerability, but keeping a Windows system is guaranteed to put you at risk.
The real world seems to agree with him on these.
Custom SW a huge security hurddle.. (Score:2, Interesting)
Better languages (Score:3, Interesting)
High level languages like Ruby, Python, or even Java are strongly recommended for all new projects.
How about a high level, compiled language with static typing like Ocaml. More speed, more protection, and it's been officially certified as "The programming tool of choice for discriminating hackers".
Ocaml [ocaml.org]
Huge middleware isn't such a great idea (Score:2, Interesting)
We got stuck with the package because the client chose it, and refused to admit they were wrong. When the project when 10X over budget and people got fired, they still stayed with the graphics package and even upgraded it to the 2.0 version.
The only way out was to quote them an astronomical figure for upgrading our software to match the POS and hope they wouldn't bite. I cheered when they politely declined.
It's good to have a job where you can choose your clients.
Designer liability (Score:1, Interesting)
Re:Article missing key point (Score:2, Interesting)
I just spent the last 3 weeks cleaning up crappy programming from one of my project-mates. Pick something - not closing db connections, 18 points where infinite loops could occur (!), 48 cases where error points are ignored they didn't exist, and the program continues. In a program that is 60Kb of bytecode! I'm already rewriting code, and this is the first release!
This is not a low budget, miniscule project. But still, one bad grape and the whole bunch goes. Time and time again.
So for everyone chanting "hire experts!", count the number of truly solid programmers you know, and drum up a percentage against those you know that suck. For a while there, the industry was stretched across ALL of those people, good and bad, and dying for more techies. Do you really think that the good developers (i.e., the ones who know to slow down and get it write the first time) can take up the entire load? Do you think industry is gonna wait for these experts? Now how about CMM level 4+ rated groups versus all those developing code. Rinse repeat.
On a more humorous note, the budget problems would probably all disappear if it weren't for Slashdot, but I'm not exactly out to kick my habit...
Re:Peon?! (Score:2, Interesting)
They're puzzled wondering why their network is sorta-broken. Most web sites work just fine but some don't. Everybody can send out e-mail, but people are complaining that the messages are bouncing half of the time.
When they discover they've been black-holed, they don't understand why they're being punished for the actions of spammers that they think are out of their control. They want to what they spammers are doing with their network to be illegal, and they want the lawyers to make the problem go away.
Oh, all the trouble a little security knowledge could save.
Re:Engineers (again...sorry) (Score:3, Interesting)
And since you are in Ontario, which is where I got my engineering degree you should know that money is not the issue to getting an education.
Also engineering certification does not mean quality. It means that you studied so many years and have gone through specific procedures. Just like police people and fire people. Some police people are good and some are baffoons, but regardless you know that they have gone through police trainning....
When engineers become liable for stuff that they design, people design very DIFFERENTLY. This is not to say that everybody has to be an engineer to work on software. Just like in a custom machinery shop not everybody is an engineer. You just need enough engineers to sign off legally on designs.
things can be done with its credentials - nop (Score:3, Interesting)
plan9 offers a model that doesn't require trusting the client. It runs a dedicated authentication server and a dedicated CPU server and a dedicated file server. The three talk to each other behind the client's back.
http://plan9.bell-labs.com/sys/doc/auth.html
Re:Crime to teach C/C++? (Score:3, Interesting)