Slashdot Mirror

← Back to Stories (view on slashdot.org)

How to Develop Securely

Posted by michael on from the wax-on-wax-off dept.

An anonymous reader writes "This column explains how to write secure applications; it focuses on the Linux operating system, but many of the principles apply to any system. In today's networked world, software developers must know how to write secure programs, yet this information isn't widely known or taught. This first installment of the Secure programmer column introduces the basic ideas of how to write secure applications and discusses how to identify the security requirements for your specific application. Future installments will focus on different common vulnerabilities and how to prevent them."

5 of 47 comments (clear)

  1. huh? by Anonymous Coward · · Score: 1, Insightful

    A hacker is a computer expert or enthusiast. So I'm a hacker?

  2. Re:How to develop securely in 4 words by Curien · · Score: 4, Insightful

    How about (radical idea coming) we just all use the functions correctly! strcpy is not inherently insecure, it just doesn't check anything /for/ you. strncpy doesn't guarantee a terminating null character, so you have to (gasp!) check for it.

    The main problem with strlcpy is that it's not standard, hence it may not be available on your target platform.

    --
    It's always a long day... 86400 doesn't fit into a short.
  3. Re:How to develop securely in 4 words by __past__ · · Score: 2, Insightful

    strlcpy is 27 lines of portable C in the FreeBSD version, including K&R-style prototype, blank lines and comments. Hardly too much to include if autoconf tells you that it's missing, and well worth it - not because code using str(n?)cpy is inherently broken, but because it's just easier to work with.

    --
    Programming can be fun again. Film at 11.
  4. Re:Article Summary: by amarodeeps · · Score: 2, Insightful

    I disagree. The part about Free and Open-source software was very topical. It basically concerned the tendency of some to believe that FLOSS (Free/Libre and Open Source Software, as the author calls it) is somehow more inherently secure, and it debunks this while qualifying the debunking with some intelligent critique--such as the fact that when many eyes _are_ actually looking at the source code, there is a greater possibility that secure vulnerabilities will be found, as well as the difficulties inherent in comparing the meaning of security in the case of a very widely used OS like MS Windows with OpenBSD. Yes, this was a lot of common sense for the most part, but you should know from reading Slashdot that people are often lacking in that...

  5. Re:How to develop securely in 2 words by Hellkitten · · Score: 2, Insightful

    Ditch C.

    Understand C

    C isn't the problem, people that use C without knowing what they are doing is. No programming language can prevent stupid programmers for making mistakes that can potentially be exploited. But C has the advantage is that those stupid programmers very often don't manage to get a compiling / working program at all, sparing us the security risk

    --
    - We are the slashdot. Resistance is futile. Prepare to be moderated -