[8718] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Learning security [SUMMARY]

daemon@ATHENA.MIT.EDU (Aleph One)
Thu Dec 17 14:35:32 1998

Date: 	Thu, 17 Dec 1998 11:21:44 -0800
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@NETSPACE.ORG

This is a summary of the many (and I do mean many) replies. Thanks to
everyone that contributed.

Why do programmers write unsafe code?

- There is no curriculum that addresses computer security in most schools.
- Programming books/classes do not teach secure/safe programming techniques.
- No one uses formal verification methods.
- C is an unsafe language.
- The standard C library string functions are unsafe.
- Programmers do not think 'multiuser'.
- Programmers are human. Humans are lazy.
- Most programmers are simply not good programmers.
- Most programmers are not security people.
- Most security people are not programmers.
- Most computer security models suck.
- Lots of legacy code that is broken.
- Consumers don't care about security.
- Cost in extra developing time.
- Cost in extra testing.

What secure programming resources are available?

Conferences:

  SANS ID'99
  "How Attackers Break Programs, and How to Write Programs Securely" by M. Bishop.
  < http://www.sans.org/ >

Classes:

  UC David ECS153 "Introduction to Computer Security" (M. Bishop)

  EnGarde's Secure Programming Tutorial
  < http://engarde.com/tutorials/tutorials_secprog.html >

Articles:

  "Designing Secure Software" by Peter Galvin
  < http://www.sunworld.com/sunworldonline/swol-04-1998/swol-04-security.html >

  "The Unix Secure Programming FAQ" by Peter Galvin
  < http://www.sunworld.com/sunworldonline/swol-08-1998/swol-08-security.html >

  "A Lab engineers check list for writing secure Unix code" by AUCERT
  < ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist >

  "How to find security holes" by Kragen Sitaker
  < http://www.dnaco.net/~kragen/security-holes.txt >
  < http://www.dnaco.net/~kragen/security-holes.html >

  "setuid - checklist for security of setuid programs"
  < http://www.homeport.org/~adam/setuid.7.html >

  "perlsec - Perl security"
  < ftp://ftp.digital.com/pub/plan/perl/CPAN/doc/manual/html/pod/perlsec.html >

Papers:

  "Robust Programming" by M. Bishop
  < http://seclab.cs.ucdavis.edu/~bishop/classes/ecs153-98-winter/robust.html >
  < http://seclab.cs.ucdavis.edu/~bishop/classes/ecs153-98-winter/Pdf/robust.pdf >
  < http://seclab.cs.ucdavis.edu/~bishop/classes/ecs153-98-winter/Postscript/robust.ps >

  "How to Write a Setuid Program" by M. Bishop
  < http://seclab.cs.ucdavis.edu/~bishop/scriv/1986-loginv12n1.ps >

  "Security Code Review Guidelines" By Adam Shostack
  < http://www.homeport.org/~adam/review.html >

Talks & Tutorials:

  "Writing Safe Privileged Programs" by M. Bishop
  < http://seclab.cs.ucdavis.edu/~bishop/scriv/1997-ns97.pdf >
  < http://seclab.cs.ucdavis.edu/~bishop/scriv/1997-ns97.ps >

  "UNIX Security: Security in Programming" by M. Bishop
  < http://seclab.cs.ucdavis.edu/~bishop/scriv/1996-sans-tut.pdf >
  < http://seclab.cs.ucdavis.edu/~bishop/scriv/1996-sans-tut.ps >

  "Shifting the Odds: Writing (More) Secure Software" by Steve Bellovin
  < http://www.research.att.com/~smb/talks/odds.pdf >
  < http://www.research.att.com/~smb/talks/odds.ps >

Books on writing secure software:

  "Practical Unix and Internet Security" from O'Reilly & Associates
  Chapter 22 "Writing Secure SUID and Network Programs"
  < http://www.oreilly.com/catalog/puis/ >

Books on writing bug free software:

  "Writing Solid Code" by Steve Maguire
  < http://www.amazon.com/exec/obidos/ASIN/1556155514/ref=sim_books/002-7935989-4651662 >

  "Code Complete" by Steve McConnel
  < http://www.amazon.com/exec/obidos/ASIN/1556154844/o/qid=913914934/sr=2-1/002-7935989-4651662 >


--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01
home help back first fref pref prev next nref lref last post