[8705] in bugtraq
Learning security
daemon@ATHENA.MIT.EDU (Kevin M. Myer)
Tue Dec 15 00:54:56 1998
Date: Mon, 14 Dec 1998 11:17:12 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: "Kevin M. Myer" <myer@ELANCO.K12.PA.US>
To: BUGTRAQ@NETSPACE.ORG
Hello,
This post may come across as off-topic but it remains an unanswered
question in my mind. I've been a member of the BUGTRAQ list for the
better part of 1998 and have learned much about UNIX (et. al) security
from it. However, one post by mudge@l0pth.com, talked about how insecure
some of the supposed security packages are these days and it got me to
wondering - where do they teach programmers security?
I am not a programmer - I don't even have a formal education in computers
or network or information technology. I have a degree in geology and I
gained my UNIX experience from the workstations I used for research. I
took one introductory comp-sci course, programming in C. However, I am
wondering if the rash of buffer overflows, sloppily coded programs or just
generally flawed algorithms or ideas for security are because programmers
don't KNOW any better.
Why do we ever here reports of files that are installed world
readable/writeable? Why doesn't every programmer check the length of a
string and do something appropriate if its longer than a buffer assigned
for it? Why do we keep revisiting the same mistakes over and over again,
only rolled in a slightly different fashion?
I guess my real question is - where is secure and good coding being
taught? Is there a book I can get that has a list of pitfalls to avoid
when I program? Are there any such courses available in colleges on a
wide-scale basis? Or is computer security bound to remain something that
a handful of experts knows anything about and they learned it the hard
way, by hacking around a system? I know thats how I've picked up what
I've learned so far and thats the best teacher as far as I'm concerned.
And I know Dennis Ritchie once was quoted as saying that UNIX wasn't
desiged with security in mind. But you'd think somewhere, we'd learn
something about programming and that the buffer overflow, for example,
would be a thing of the past.
Just wondering - like I said, I'm no expert on any of this. I just know
enough to wonder why.
Kevin
--
Kevin M. Myer
Technical Services Specialist
ELANCO School District