Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secure Programming

Posted by michael on from the self-promotion dept.

viega writes "Matt Messier and I have just launched a secure programming web site. While this site does support our new book The Secure Programming Cookbook for C and C++ , it also serves as a thorough resource for developers. It has numerous links to articles and other topical resources, new recipes that demonstrate secure programming techniques a large glossary and the obligatory web log. We accept outside submissions, and will reward the best recipe submission each month-- O'Reilly will publish it on the O'Reilly Network web site and will give the author a free book. There's already a decent amount of new content, including recipes on avoiding malloc()/new-related integer overflows, watching out for security problems in API differences and issues when truncating data. There's also an RSS feed for the web log."

15 of 360 comments (clear)

  1. Re:Speed issues aside by An+Onerous+Coward · · Score: 4, Funny

    Lesson #1: All Java programs are automatically secure.

    See, that's why I keep coming to Slashdot. You learn something new every day. :)

    --

    You want the truthiness? You can't handle the truthiness!

  2. I'd love to read the site, but ... by russh347 · · Score: 4, Funny

    I won't given the color scheme.

  3. Re:Speed issues aside by quantum+bit · · Score: 4, Funny

    No buffer overflows

    Without throwing an exception and crashing the program.

    No dereferencing of null pointers

    Without crashing the program (java.lang.NullPointerException).

    No object creation failures (all "new"s succeed)

    Without crashing the program -- usually as spectacuarly as a C program since an out-of-memory condition will make Bad Things happen with the VM or JIT as well.

    Sounds like a great candidate for writing an OS kernel in. Microsoft are you listening?

  4. Chapter 1 by Troll_Kamikaze · · Score: 3, Funny

    The Secure Programming Cookbook for C and C++, Chapter 1: Find an Alternative to C and C++.

    Seriously!

  5. Re:Speed issues aside by An+Onerous+Coward · · Score: 4, Funny

    Lesson #2: No matter how obvious it is that you're trying to be funny, someone will mistake your comment for totally serious and sincere (or, in this case, totally sincere in sarcasm). Which leads to...

    Lesson #3: Don't try and be funny. You'll just end up having to explain it, and--as the Heisenberg Principle attests--an explained joke ceases to be funny.

    Seeing how the parent didn't specify which security issues were fixed by switching from C/C++ to Java, and the website is devoted to "secure programming" without regard for language, the parent gives the impression that switching to Java automatically renders an application completely secure.

    Despite Java's safer memory usage, an application is still open to a wide variety of attacks. Such grandiose security claims about managed languages are worthless (except for the schmucks trying to get a contract to rewrite a critical application in Java or C#).

    See? See how not-funny you made me?

    --

    You want the truthiness? You can't handle the truthiness!

  6. Re:Good idea by An+Onerous+Coward · · Score: 1, Funny

    int main()
    {
    return 0;
    }

    // Try hacking THIS, suckas!

    --

    You want the truthiness? You can't handle the truthiness!

  7. Do *what* to get your way to the top? by Anonymous Coward · · Score: 3, Funny

    "Now I'm just a lowly IT worker, managing web servers and crawling under desks"

    Crawling under desks? I know admin'ing IIS servers is bad enough because of the security problems, but to have to blow your boss to keep your job?

    Talk about getting fucked in both ends!

  8. actual snippet by gfody · · Score: 2, Funny

    while(true)
    {
    try
    {
    ...
    }
    catch()
    {
    //try again
    }
    }

    --

    bite my glorious golden ass.
    1. Re:actual snippet by dmiller · · Score: 2, Funny

      In that spirit, my favourite was:

      while ((var = malloc(sizeof(*var))) == NULL)
      ; /* Avoid allocation failures */
  9. My definition of "Secure Programming"... by solarrhino · · Score: 3, Funny

    ... is any programming job that can't be exported to India!

    --
    "Lord, grant that I may always be right, for Thou knowest that I am hard to turn" -- A Scots-Irish prayer
  10. Small error in the site by nmoog · · Score: 2, Funny

    I think I have spotted a small error in your otherwise excellent site.
    I checked out the HTML source and the problem seems to be in the spc.css file.
    There are several references to the value #BD3D89 and on the monitors I have here that value appears as a bright pink colour.

    Just thought I'd let you know.

  11. Here's the full text by Anonymous+Cowdog · · Score: 4, Funny

    Just in case the site gets slashdotted, here's a cut-n-paste of the home page. Whew, glad I was able to get in to get this:

    Internal Server Error
    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator, mmessier@secureprogramming.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

    More information about this error may be available in the server error log.

    Apache/1.3.28 Server at www.secureprogramming.com Port 80

  12. Re:Speed issues aside by Anonymous Coward · · Score: 1, Funny

    The only starving people here are the Lisp programmers.

  13. The other rules by devphil · · Score: 2, Funny


    Just because I watched the movie the other night and can therefore quote entire reams from memory:

    • The 3rd rule of secure programming club is: some process yells SIGABRT, goes Z-state, taps out, the program is over.
    • 4th rule, only one major process to a sandbox.
    • 5th rule, only two sandboxes to a machine, fellas.
    • 6th rule, no telnetd, no ftpd.
    • 7th rule: debug sessions go on for as long as they have to.
    • And the 8th and final rule, if this is your first night at secure programming club, you will be 0wn3d.
    --
    You cannot apply a technological solution to a sociological problem. (Edwards' Law)
  14. Re:wrong assumptions abound by viega · · Score: 2, Funny

    It's easier to eke speed out of C, largely because there's no pesky security ;-)