Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secure Programming

Posted by michael on from the self-promotion dept.

viega writes "Matt Messier and I have just launched a secure programming web site. While this site does support our new book The Secure Programming Cookbook for C and C++ , it also serves as a thorough resource for developers. It has numerous links to articles and other topical resources, new recipes that demonstrate secure programming techniques a large glossary and the obligatory web log. We accept outside submissions, and will reward the best recipe submission each month-- O'Reilly will publish it on the O'Reilly Network web site and will give the author a free book. There's already a decent amount of new content, including recipes on avoiding malloc()/new-related integer overflows, watching out for security problems in API differences and issues when truncating data. There's also an RSS feed for the web log."

9 of 360 comments (clear)

  1. Run-on sentence time by mao+che+minh · · Score: 5, Insightful
    Ten bucks says that this endeavor will go widely unnoticed by 90% of developers. Now I'm just a lowly IT worker, managing web servers and crawling under desks, but I do know that 95% of the developers in corporate America do not read Slashdot, and 95% of the ones that do are so intimately involved with Microsoft or Microsoft dependant technologies that this book/article/section/endeavor won't mean a damn. And before the trolls bark: YES, Microsoft = less security in development. Not by design - hardly - but rather because if a developer is working on a project that is Microsoft centric from the ground up, he/she is likely working on a time table set by some PHB a hundred miles away, and has been working on such projects for years, and has long since given up on making good, secure code, and rather coding whatever keeps his/her salary.

    Once you have worked 50 hours a week in a corporate setting for 5 years as a developer (2 years) and a run-of-the-mill network/system/any-god-damn-thing-they-can-get-you -to administer(4 years, you will understand.

  2. Good idea by ljavelin · · Score: 5, Interesting

    It's a good idea to have resources that are committed to security. Although some will claim that languages such as Java or C# prevent security issues, this is simply not true - there are many avenues to building security weaknesses... and those that think they're safe merely by using a particular programming language are in for a nasty surprise.

    Of course, a web site and a few books won't prevent security issues - but the more it gets the word out about good programming practices, the better!

    ---
    Herb Chambers - where my nightmare came true!

  3. Warding off the inevitable "switch to Java" commen by sco08y · · Score: 5, Insightful

    If you RTFA, or even just GATFA (glance at) you'll notice that the book has info on:

    Random numbers

    Input validation

    Cryptography (e.g. ssh)

    Buffer overruns are just one kind of problem you need to deal with when writing secure code. There are also DOS attacks and information theft. Even with Java, it can be quite challenging to ensure that data is properly encrypted and authenticated, and you still need to worry about permissions in the file system.

    And let's not even dredge up the standard "why can't you just rewrite 100s of 1000s of lines of working C++ code in Java?" inanity.

  4. Secure programming FAQ by SystematicPsycho · · Score: 5, Informative

    Or for a quick and free guide, you can download the secure programming faq from one of the oldest websites on the internet-
    Securing Programming FAQ
    --

    --
    Analytic & algebraic topology of locally Euclidean meterization of infinitely differentiable Riemmanian manifold
    1. Re:Secure programming FAQ by viega · · Score: 5, Informative

      This is not a very good (modern) guide. There are plenty of better guides (still free) to which we link on the web site, such as David Wheeler's HOWTO . The book is more about giving actual code examples on how to do things properly. And, oddly enough, all the code is also available for free on the web site.

  5. Re:We really need a different language by Electrum · · Score: 5, Interesting

    They happen because A) most code is written in C or C++, and B) everyone makes mistakes (even the finest open source developers overlook simple buffer overflows).

    That's not true. qmail and djbdns do not have security holes. They were written using secure coding techniques that make them immune to things like buffer overflows. You can't "overlook" a buffer overflow with stralloc.

  6. Re:I blame colleges by metallicagoaltender · · Score: 5, Insightful

    Blaming colleges is a complete copout - if colleges aren't teaching the proper skills, then employers should be rejecting applicants with inadequate skills.

    The fact is, most companies couldn't give half a shit about security on a day-to-day basis, and therefore don't really care if people fresh out of college have a clue about secure programming, or even security in general.

    The goal of college, in the context of our current society, is to prepare students to get a job - if employers aren't demanding it, then people aren't going to expect it to be part of a college curriculum.

    Don't get me wrong, I fully agree it should be a core part of computer education right from the start, but until the technology industry recognizes it as a day-to-day need (other than the 2 weeks after you've been hacked), it won't be considered an important part of the educational process.

  7. Re:We already HAVE the different language. by dmiller · · Score: 5, Insightful
    It's called LISP.
    (And before anyone says "... but you can't write a kernel in LISP!", there are several LISP Machines out there which beg to disagree with you.)
    Yes, very true. "Several" is an excellent estimate of the number of LISP machines sold.
  8. Re:We really need a different language by slamb · · Score: 5, Informative
    qmail and djbdns do not have security holes.

    Bah. That they do not have security holes is implausible, if not actually impossible, to prove. It's hard to even define what a security hole is; a changing threat model has "caused" many security holes. (Is an open relay a security hole? I say yes. Twenty years ago, everyone said no.) I doubt your statement. I can't point at a hole right now, but I have confidence that at least one security hole will eventually be discovered in those programs.

    They were written using secure coding techniques that make them immune to things like buffer overflows. You can't "overlook" a buffer overflow with stralloc.

    No, they make it easier to avoid buffer overflows. They don't prevent them: I quote from your hyperlink:

    A stralloc structure has three components: sa.s is a pointer to the first byte of the string, or 0 if space is not allocated; sa.len is the number of bytes in the string, or undefined if space is not allocated; sa.a is the number of bytes allocated for the string, or undefined if space is not allocated. A stralloc variable should be initialized to {0}, meaning unallocated.

    Applications are expected to use sa.s and sa.len directly.

    If they use sa.s and sa.len directly, they can screw up and increase len inappropriately. The API seems good in that it makes it much harder to do things wrong, but it is hubris to say it makes you invulnerable. Besides, buffer overflows are possible for things other than strings, so this solves only (the most common) part of the problem. And there's still the legacy code that people can use without porting to stralloc.

    It does seem like a good library if you're stuck using C. Another alternative is APR, which makes managing all sorts of memory allocations much easier. Pools are handy things when dealing with a language that primitive.

    But there are languages in which it actually is impossible to have a buffer overflow. Please don't confuse the issue by saying that this (which makes it somewhat easier to avoid this error) makes the error impossible.