Following Best Coding Practices Doesn't Always Mean Better Security

← Back to Stories (view on slashdot.org)

Following Best Coding Practices Doesn't Always Mean Better Security

Posted by samzenpus on Thursday May 2, 2013 @09:37PM from the keeping-your-guard-up dept.

wiredmikey writes "While some best practices such as software security training are effective in getting developers to write secure code, following best practices does not necessarily lead to better security, WhiteHat Security has found. Software security controls and best practices had some impact on the actual security of organizations, but not as much as one would expect, WhiteHat Security said in its Website Security Statistics Report. The report correlated vulnerability data from tens of thousands of Websites with the software development lifecycle (SDLC) activity data obtained via a survey. But there is good news — as organizations introduced best practices in secure software development, the average number of serious vulnerabilities found per Website declined dramatically over the past two years. 'Organizations need to understand how different parts of the SDLC affects how vulnerabilities are introduced during software development,' Jeremiah Grossman, co-founder and CTO of WhiteHat said. Interestingly, all the Websites tested under the study, 86 percent had at least one serious vulnerability exposed to attack every single day in 2012, and on average, resolving vulnerabilities took 193 days from the time an organization was first notified of the issue."

61 comments

Min score:

Reason:

Sort:

Vacuuming the carpet daily... by Anonymous Coward · 2013-05-02 21:42 · Score: 0

..does not mean the house won't get broken into.
1. Re:Vacuuming the carpet daily... by LizardKing · 2013-05-02 21:51 · Score: 1, Troll
  
  I'd suggest not vacuuming. A layer of dust and fluff will prevent the Bungle's Finger that most discerning burglars leave from adhering to the carpet.
Following best architectural design practices by TheLink · 2013-05-02 21:48 · Score: 2

Following best architectural design practices doesn't mean your final building will be more secure.
--
- Too many replies beneath your current threshold
1. Re:Following best architectural design practices by wonkey_monkey · 2013-05-02 22:43 · Score: 1
  
  No, no, no. Car analogy, puhlease!
  
  --
  systemd is Roko's Basilisk.
2. Re:Following best architectural design practices by hcs_$reboot · 2013-05-02 22:58 · Score: 1
  
  Following best driving practices doesn't mean you drive safely... uh..
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
3. Re:Following best architectural design practices by hairyfeet · 2013-05-02 23:04 · Score: 4, Informative
  
  Or to just cut past all the damned metaphors just because you teach your programmers not to have Bobby Drop Tables size screw ups doesn't mean there isn't a bazillion other ways they can screw up.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
4. Re:Following best architectural design practices by chrismcb · 2013-05-02 23:07 · Score: 4, Insightful
  
  Of course it does, and TFA even says so. Of course going to "software security training" isn't exactly a "best practice" either. Just because someone goes to a training session doesn't mean they'll learn anything.
  Following best practices in code will most definitely make your code more secure. But more secure is very relative. You can still have plenty of vulnerabilities, just fewer than before.
  Best practices or no, we all make mistakes, and plenty of them. It only takes one mistake to leave a hole. Whether it is a simple bug, or a design flaw. And the bad guys only need to find one flaw. So yes Best Practices help. But it doesn't mean your code is going to be Fort Knox.
5. Re:Following best architectural design practices by Anonymous Coward · 2013-05-02 23:59 · Score: 0
  
  Following best driving practices -on ice- doesn't mean your car won't land in a ditch.
6. Re:Following best architectural design practices by Anonymous Coward · 2013-05-03 00:43 · Score: 0
  
  Best practices are things like escaping and checking user input before acting or it or processing it. However, is the programmer is just stupid and doesn't understand what these things do he will fail. Who hasn't see this before: execute('command '+escape(user_input_number))?
7. Re:Following best architectural design practices by BlindMaster · 2013-05-03 06:28 · Score: 1
  
  I agree, and the reason for making mistakes have a lot to do with deadlines.
  Best practice or not, more time on designing, implementing and testing them can avoid a lot of mistakes. More often lack of communication and understanding to the code have a lot to do with testing (due to tight deadline). Both the technical testers (run static analysis report) and QA testers (testing for business cases) lacked the knowledge of the system, as they have no clue but to assume some of the things are working as expected. Many of the issues can be avoided given more time and more communication. Best practice or not, some of these are common sense.
"best practice" and surveys by bickerdyke · 2013-05-02 21:53 · Score: 5, Insightful

Asking software companies if the require their developers to adhere to "best practice" won't lead to any usefull number at all.
Or does anyone think anyone would admit to use only second-best programming standards?
Let alone the question what programming techniques count as "best practice".

--
bickerdyke
1. Re:"best practice" and surveys by Anonymous Coward · 2013-05-02 22:08 · Score: 0
  
  Actually, I regularly tell my managers I'm not adhering to "best practice." But they accept the trade off with the lower use of resources. Mind you, we're not a software development company, just a development team in a company.
2. Re:"best practice" and surveys by phantomfive · 2013-05-03 03:01 · Score: 1
  
  I don't know what 'best practices' are, but I can tell you, if it takes 193 days to fix a vulnerability, on average, from the time you are notified about it, then you are not following best practices.
  
  Or, if you are this guy, and claim "bugs are not a big deal," then you are not following best practices.
  
  It's not clear what the author of the present study believes are best practices, but it's clear there are a lot of people who are doing things horribly wrong.
  
  --
  "First they came for the slanderers and i said nothing."
3. Re:"best practice" and surveys by Anonymous Coward · 2013-05-03 03:06 · Score: 0
  
  The only best practices that will lead to fewer vulnerabilities is using frameworks that protect programmers from having to think about vulnerabilities. For instance, using a prepared statement API to prevent SQL injection attacks.
  But thinking of security as a checklist will always result in an insecure result. This is because security is a mindset, not a checklist. Developers need to learn to think defensively about their code so that it's a constant concern when developing the code. Anything less will lead to lapses. And, in my experience, not all developers are able to learn to think this way.
4. Re:"best practice" and surveys by plover · 2013-05-03 09:47 · Score: 2
  
  You completely misread his essay. Yegge did not try to claim that "bugs are not a big deal" to him. He only pointed that out as a possible viewpoint of a "liberal" programmer.
  However, his thesis that programmers are either "conservatives" or "liberals" is completely wrong-headed. People are either engineers (tests, proof, knowledge) or not. Static typing doesn't enter into it. The crap he was yammering about seemed written to justify his choices and his existence, not to provide useful knowledge.
  
  --
  John
5. Re:"best practice" and surveys by phantomfive · 2013-05-03 13:19 · Score: 2
  
  We can quote from what he wrote:
  
  "Bugs are not a big deal.......Bugs are not a big deal!...... (This belief really may be the key dividing philosophy between Conservative and Liberal philosophies.).....I am a hardcore software liberal, bordering on (but not quite) being a liberal extremist."
  He definitely puts himself on one side of the spectrum. As you said though, the whole essay could be renamed "Stuff I like and stuff I don't like." Because that's essentially what it is.
  
  --
  "First they came for the slanderers and i said nothing."
Rules should be treated like guidelines by Anonymous Coward · 2013-05-02 22:05 · Score: 5, Insightful

If secure coding could be described by a few simple rules, coders would have already been replaced by programs.
Best practices by philip.paradis · 2013-05-02 22:08 · Score: 4, Insightful

"Best practices" is such a wonderful term; its sheer flexibility permits the person invoking it to assure his audience that he meant exactly what he said, even when he didn't say much of substance.
Now if you'll excuse me, I'm late for a game of bullshit bingo.

--
Write failed: Broken pipe
1. Re:Best practices by SirGarlon · 2013-05-02 23:53 · Score: 1
  
  "Best practices" is a synonym for groupthink.
  
  --
  [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
2. Re:Best practices by Anonymous Coward · 2013-05-03 00:09 · Score: 1
  
  Are you sure you didn't mean Agile bingo?
  Gotta keep it on topic!
3. Re:Best practices by Anonymous Coward · 2013-05-03 00:32 · Score: 1
  
  The best practice is to understand the options available and to choose the one that best fits your particular circumstances.
  But when developers ask "what is best practice" they want somebody else to make a choice that they can blindly apply without thinking. This is not the "best practice".
4. Re:Best practices by Anonymous Coward · 2013-05-03 01:12 · Score: 0
  
  "Best practices" is such a wonderful term; its sheer flexibility permits the person invoking it to assure his audience that he meant exactly what he said, even when he didn't say much of substance.
  Now if you'll excuse me, I'm late for a game of bullshit bingo.
  Honestly. If there's one term that managers have embraced, it's "best practices." It just spews "quality." The real beauty is that there is no set standard for best practices, so if something goes wrong, you have plenty to cover your ass.
5. Re:Best practices by Anonymous Coward · 2013-05-03 04:03 · Score: 0
  
  Which is precisely why it's invoked by inexperienced, outsourced 'journalists' when they write totally-off-the-mark fluff pieces.
No surprise by gweihir · 2013-05-02 22:11 · Score: 3, Insightful

Secure code needs a holistic view. The usual component architecture that works pretty well for reliability and correctness, but not so well for performance, fails utterly for security. What is needed is a really competent secure software expert, that can do everything from architecture down to coding and is part of the team right from the beginning. This person must also have means to enforce security. Unfortunately, people that can do this job are very rare, and most projects do not have that role anyways.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re: No surprise by mattpalmer1086 · 2013-05-03 00:00 · Score: 4, Insightful
  
  Been there, done that, made redundant.
  This was at a software house selling payment processing middleware that had to be PA-DSS compliant. Achieved compliance, role made redundant.
  They clearly made a risk reward calculation and decided the benefit of securing the product was outweighed by the cost of slowing development. Particularly as everyone else's security also sucked and there was no particular liability for them if a breach occurred. It's a classic externality.
  I'm also on the steering committee for an initiative trying to improve software security and resilience. They also figured out that the market was failing here, and only legislation for software liability or some other mechanism to correct the externality had any chance of improving the situation. But the cure might be worse than the disease. ..
2. Re: No surprise by Anonymous Coward · 2013-05-03 04:00 · Score: 0
  
  Might be?
  I already have contracts requiring me to use 'accepted best practice commercial antivirus' which basically means symantec install on all systems whatsoever if you inquire.
  "Commercial grade software firewalls on all laptops" -- thanks, now I have to buy some piece of shit instead of using pf or iptables.
  I've already infuriated middle management by pointing out that some of their software compliance standards are entirely fictional and that no product exists on any market that could make their software compliant, nor could it exist without developing customized hardware and protocols
  And they completely shit bricks when I explained to them how IT's content filter necessarily reduces the cryptographic security of all forward facing webapps.
  When I told them that any competent developer or sysadmin trivially had access to productions database and customer data (at the risk of termination if they actually noticed, which they wouldn't) simply by either accidentally leaving a debug config option set, or simply writing software to do that and pushing it to release (QA checks black box, not the code itself) -- people about blew a fucking gasket when they realized what the costs would be to fix it.
  Management is not equipped or professionally competent enough to even understand a threat model, let alone the details of it.
  You involve congress, and all we're going to get is a steaming heap of fiction that will be used to throw the book at someone for circumventing DRM by logging into their account and emailing a picture they didn't know they didn't have a coypright to.
  And don't get me started on the manager down the hallway who thought that HTTPS meant nobody could 'fake' our site and was about ready to accuse someone of hacking for photoshopping a mockup of a desired feature.
  Regulatory compliance will only read to clusterfuck.
  Or do I need to share the story of a bank out west that encrypted all of their credit card information in a database with crypto managed by a compromised windows domain server... ? That also held all corporate directory accounts...
  And had RDP tunneled out...
3. Re: No surprise by Anonymous Coward · 2013-05-03 06:51 · Score: 0
  
  I could add my sad story of lax corporate security here (such as passwords coded into executables, generic users and so on). But I think it is more useful to analyze the big picture. The big picture is that IT personnel have become whores to the "business" pimps (people with control of money).
  Whores are not supposed to stand up to their pimps. They are supposed to be obedient. We are sooo much "customer-focused" we more of a whore than sex whores.
  That is the core of the problem and I doubt any amount of "red light district regulation" can change anything about it.
4. Re: No surprise by Anonymous Coward · 2013-05-03 07:42 · Score: 1
  
  Regulatory compliance will only read to clusterfuck.
  You're doing it wrong. (Err... well, you're probably right that Congress would do it wrong, too.) A good regulation for handling the GP's problem wouldn't be "use exactly these security processes", it would be "you are liable for security problems in software you sell (and maybe even are required to have insurance for it)". The problem is externalities; good regulations should internalize those externalities and do nothing else.
5. Re: No surprise by gweihir · 2013-05-03 10:30 · Score: 1
  
  Been there, done that, made redundant.
  This was at a software house selling payment processing middleware that had to be PA-DSS compliant. Achieved compliance, role made redundant.
  They clearly made a risk reward calculation and decided the benefit of securing the product was outweighed by the cost of slowing development. Particularly as everyone else's security also sucked and there was no particular liability for them if a breach occurred. It's a classic externality.
  Indeed. No liability always means no due diligence or care.
  
  I'm also on the steering committee for an initiative trying to improve software security and resilience. They also figured out that the market was failing here, and only legislation for software liability or some other mechanism to correct the externality had any chance of improving the situation. But the cure might be worse than the disease. ..
  I agree there as well. They will likely regulate how it has to be done (making it useless), instead of establishing liability. In other engineering fields it is quite simple: If your people were adequately qualified, careful and there was a competent independent review (if things are experimental) or bets practices were followed (if a standard problem), then it was an accident. Otherwise, negligence is found and the company pays. The negligence may also be criminal and the managers that made the decisions can become personally liable and go to jail in addition. The same thing could also be done for IT security, which would finally also lift the wages for those really competent to an adequate level and hiring the cheapest moron that can barely do the job would stop.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
6. Re: No surprise by gweihir · 2013-05-03 10:31 · Score: 1
  
  The problem is that governments have become so incompetent these days that nobody knows how to create good regulations anymore.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
obviously by Anonymous Coward · 2013-05-02 22:24 · Score: 0

the OP or article has never written a code - its like saying a good looking dessert may not be good to taste; its this obvious commonsense?
People are the primary security hotspots by cyborg_zx · 2013-05-02 22:30 · Score: 2

Since that's unlikely to change good ol' social engineering is still going to be the primary tool in any would be assailants toolbox for breaking security.
1. Re:People are the primary security hotspots by smooth+wombat · 2013-05-03 00:06 · Score: 2
  
  Reminds me of a question I was asked in an interview: "What do you consider the most serious threat to the integrity of data?"
  I looked at the person who asked the question and answered, "People on the inside." I then elaborated that the majority of data breaches and leaks comes from inside an organization, that once you allow someone access to that data, you have a potential security issue.
  That wasn't the answer they wanted.
  
  --
  We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
2. Re:People are the primary security hotspots by Anonymous Coward · 2013-05-03 00:54 · Score: 0
  
  Ding, ding, ding, ding! Shockingly, best coding practices isn't a silver bullet to fix security issues. There isn't any one thing - budget line item - that does that.
3. Re:People are the primary security hotspots by Anonymous Coward · 2013-05-03 20:25 · Score: 0
  
  Reminds me of a question I was asked in an interview: "What do you consider the most serious threat to the integrity of data?"
  I looked at the person who asked the question and answered, "People on the inside." I then elaborated that the majority of data breaches and leaks comes from inside an organization, that once you allow someone access to that data, you have a potential security issue.
  That wasn't the answer they wanted.
  Maybe they took your answer to heart, and concluded that fewer people inside (i.e. not hiring) means lower risk?
Just a thought by Anonymous Coward · 2013-05-02 23:15 · Score: 2, Interesting

Isn't that why they're called Best Practices and not Perfect Practices?
1. Re:Just a thought by Anonymous Coward · 2013-05-03 01:47 · Score: 0
  
  No, it's called Best Practices so people who don't know any better can pat themselves on the back with a hardy 'job well done' without sounding overly smug.
  Those who do know better just call it common sense.
  Perfect Practices are for security vendors and delusional managers.
In the eye of the beholder by SuperDre · 2013-05-02 23:25 · Score: 2

Well.. 'Best coding practices' is all in the eye of the beholder.. what one calls best practice might look awfull to another.. there really is no 'best coding practices'..
1. Re:In the eye of the beholder by CapOblivious2010 · 2013-05-03 00:35 · Score: 2, Interesting
  
  Well.. 'Best coding practices' is all in the eye of the beholder.. what one calls best practice might look awfull to another.. there really is no 'best coding practices'..
  For overall coding, you're right - it's all in the eye of the beholder. For secure coding, one simple rule (which is unfortunately much harder to follow than it should be) will avoid 99% of the problems:
  
  DON'T EXECUTE CODE WRITTEN BY YOUR USERS!
  
  What makes it so damn hard is the temptation (if not active encouragement by your platform) to "stringly type" all your data, combined with the temptation (if not active encouragement by your platform) to build up executable code by pasting strings together, all smothered in a rich sauce of inconsistent, confusing, and poorly-documented rules for how to escape what characters where.
2. Re:In the eye of the beholder by RedHackTea · 2013-05-03 07:41 · Score: 1
  
  This is why I write all of my code on one line. It's clean and simple. Others brag about 1000 lines of code; I brag about 1 line with 20k columns. Got an exception? Yeah, it's on line one. Got a compile error? Whatdoyouknow, it's on line one also. I just need a better text editor that can handle columns better...
  
  --
  The G
3. Re:In the eye of the beholder by Anonymous Coward · 2013-05-03 08:38 · Score: 0
  
  You are just describing one class of exploits. You just close one of the 11123 doors of ingress.
4. Re:In the eye of the beholder by CapOblivious2010 · 2013-05-03 09:59 · Score: 1
  
  But it's by far the most common - read details on any group of exploits (service pack "X" of your favorite platform, for example) and you'll see that the vast majority come down to executing user input.
Having good engineers by Anonymous Coward · 2013-05-03 00:36 · Score: 2, Insightful

is more important than having managers that insist that engineers follow every guideline from the MS Press book, or whatever.
For example, one of the guidelines is always "do not use sprintf". But sprintf is perfectly safe in cases like this:
std::string myfunc( int i ) { char buffer[80]; sprintf( buffer, "Your number=%d", i ); return buffer; }
So what we sometimes see is a lot of mindless replacements of perfectly good function calls with slower, more difficult-to-read counterparts, where the process of substitution may have produced bugs. Ordered by management during scrum so he can rattle off metrics to his boss on how much more "secure" the code base is now than three weeks ago.
1. Re:Having good engineers by Anonymous Coward · 2013-05-03 03:01 · Score: 3, Interesting
  
  sprintf is a minefield of bad. You *have* to know how to use it correctly.
  For example
  char xyz1 =1;
  unsigned int xyz2 = 2;
  long long xyz3 = 3;
  short xyz4 = 4;
  char buffer[50];
  sprintf(buffer, "%d %d %d %d", xyz1, xyz2, xyz3, xyz4);
  That is a bad statement (especially if you are porting between platforms). with at least 6 different places for over runs and underruns. 1 place for a incorrect signed type. Your code btw returns a pointer from the stack. Which means it will just 'go away' and is subject to change. You may get lucky and it works for 'awhile' until you call something else.
  Each datatype has its own % type. For example a short is %h most people do not know that (and that varies between different CRTs). The code I have above would overrun a buffer and read out too much data (off the stack probably from the buffer var or the padding between them). The first %d would do the same thing. The 3rd one would not read enough. Make those numbers bigger and I would overflow the buffer.
  I learned this the *VERY* hard way (400+ statements all with over runs and under runs). Use printf/sprintf in the right way. Read the doc completely match your types exactly. It is also different on windows vs linux vs random embedded platform. After looking at about 6 different sprintf implementations they quality varies wildly from stupid to able to handle the above statement with aplomb.
  Also just because you are using a 'type safe' language does not mean you are safe from this. Many just pass along to sprintf/printf so you are still subject to the same rules. Sometimes with even less control.
2. Re:Having good engineers by Anonymous Coward · 2013-05-03 03:46 · Score: 0
  
  Replace "char buffer[50]" with "char buffer[200]" and the problem goes away, and it's faster at runtime than the faux-secure alternative.
3. Re:Having good engineers by Mr.+Slippery · 2013-05-03 05:13 · Score: 2
  
  But sprintf is perfectly safe in cases like this:
  If we make some (currently sensible) assumptions about sizeof(int), yes, that's safe. The problem is that somewhere down the road, the newbie who maintains your code is going to change it to
  sprintf( buffer, "After long and careful consideration, our system has calculated your number=%d", i );
  Secure code is not just "code containing no flaws", it's "code structured in such a way to guard against the introduction of flaws in further development and maintenance".
  
  --
  Tom Swiss | the infamous tms | my blog
  You cannot wash away blood with blood
4. Re:Having good engineers by Anonymous Coward · 2013-05-03 07:18 · Score: 0
  
  Use a fucking printer class which is type safe and never, ever touch plain arrays/pointers , including char*. That will eliminate a large class of issues with very little overall effort.
  E.g.
  CrtPrinter cp;
  cp.printf("Mr $'s account balance is $").sa(customername).sa(balance).pr();
5. Re:Having good engineers by Anonymous Coward · 2013-05-03 07:24 · Score: 0
  
  Just don't use these char* sucker functions. They are plain evil and it is very bad engineering practice to hand a function a pointer without intrinsically handing over the length of the array the argument points to.
  Bell Labs was a hell-hole of sloppiness, actually and Mr Kernighan and Mr Richtie deserve some roasting wherever they now are.
a bigger concern by nimbius · 2013-05-03 00:55 · Score: 1

is that many 'best practices' are so undocumented and secretive that once you do find out about them as a security lead, it just becomes a ball of christmas lights to figure out the other moronic and insecure crap programmers are wholly convinced is pure and righteous. For example: string sanitization is a pretty wild goose chase.

--
Good people go to bed earlier.
Not unexpected by Anonymous Coward · 2013-05-03 01:06 · Score: 0

This is an industry that relies on scientifically unsubstantiated approaches all the time. This is one example; things like Agile are another. It's uncanny how software engineers as group embrace fads with gusto on a regular basis.
Good studies and bad studies by SirGarlon · 2013-05-03 01:53 · Score: 3, Interesting

I started reading the report and I quit halfway through the executive summary. This is one of those reports that says, "We documented a bunch of stuff happening. No idea why it happened, but let's speculate." I generally respect the folks at White Hat (have met several at conferences etc.) but I simply don't see the value in this report. I think they've lost track of why it's worthwhile to conduct a study in the first place. Perhaps Richard Feynman can help.

--
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
Problem is, TFA doesn't support the title by 93+Escort+Wagon · 2013-05-03 02:14 · Score: 1

Now, Slashdot just took its title from the submitted article, so I'm not going to pin this one on the "editors". But TFA does not appear to provide any evidence to actually support the title. It implies that security doesn't improve as much as you'd expect, which in itself contradicts the claim; but what few examples are given are really of companies IGNORING best practices.
Admittedly the submitted article is just a summary of a larger report, so it's possible the report itself provides some sort of support to the claim; but then one would hope at least one example of that would've been included in the article.

--
#DeleteChrome
Probably because by HeckRuler · 2013-05-03 02:19 · Score: 1

Probably because everyone I've ever heard use the term "best practices" has been a useless corporate suit with no clue how to craft software. The people who know their shit simply say that this part is good or this part is bloody fucking stupid.
"Best Practices" is one of those corporate buzzwords that offers the veneer of competence that suits use as a tool when talking to their customers or their own bosses. Do your best to stay away. Those guys are poison and will assuredly steal any thunder you try and make for yourself.
1. Re:Probably because by BVis · 2013-05-03 02:43 · Score: 1
  
  Then there are the guys that equate "best practices" as "the lazy programmers trying to get more time to do something that we've already decided should take X." I consider testing/QA as an example of "best practices". At a previous job, we were in a staff meeting talking about the progress of a piece of software we were writing. The bonehead VP of Marketing asked our QA guy how long he would need to finish a testing project. The QA guy answered "6 weeks". The VP then said "You have 3. QA always takes too long."
  Not "why is it going to take so long", or "what problems do you need to solve", just "That's too much time". Idiot.
  
  --
  Never underestimate the power of stupid people in large groups.
Actually, that was the result ... programs suck. by oneiros27 · 2013-05-03 02:37 · Score: 1

My take-away from the article was that training people about security issues worked, relying on application firewalls & automatic code review made things worse.
People: 1 ; Programs : -2. (or people 3, programs 0, depending on how you want to count)

--
Build it, and they will come^Hplain.
Passwords by gmuslera · 2013-05-03 03:23 · Score: 1

You could use passwords best practices (long, upper/lowercase+symbols+digits) so have your name and address as password, but that is not safe, no matter what password strenght checking program tells you.
Practice != Security by Murdoch5 · 2013-05-03 05:07 · Score: 1

Coding practices help you write nice, readable and maintainable code, with clean code you can work on securing it. Security in code is entirely a career in it's own right, it depends on the platform, the language, the protocols and more. So the first step is to make the code clean and maintainable, then you secure it, but don't group both together, you need the abstraction layer.
Then they obviously aren't... by pigiron · 2013-05-03 05:16 · Score: 2

"best" practices. Stop reading Gartner.
Disagree by Anonymous Coward · 2013-05-03 06:55 · Score: 0

Computer Science knows methods of achieving almost perfect security. It's called Formal Verification and it is fucking time-consuming, expensive and fucking complicated. You need to "design for verifiability".
So our pimps have decided we IT whores can't do that and instead do 217 "additional, great features plus facebook integration".
See by Anonymous Coward · 2013-05-03 07:12 · Score: 0

http://en.wikipedia.org/wiki/Formal_verification
It could also be arugued... by hesaigo999ca · 2013-05-03 07:41 · Score: 1

It could also just be argued that the next gen of studios for languages have more robust debugging and error checking and even documentation on such issues. You might get the next version of visual studio that runs the integrity test or acid test to see what an app or website is lacking for security. The built in unit testing modules can be used this way too.... it all depends on how much time can be given to secure the apps or just write the code and meet the deadline. The most secure ISO certified code (such as military or banking) usually take years for something that takes months in normal development.