Secure Coding
-
It's what we all need. Better software that's less vulnerable to attacks. Especially as much of our code gets deployed to a wider and wider circle of users.
The SANS institute is getting ready to try and test programmers, offering a series of exams that will let you know if you're a secure coder. Later this summer they'll begin pilots in DC on a few languages. There are already some practice tests online (C and C++, Java and J2EE with ASP/.NET and PHP/PERL coming soon).
I think this is a great idea and the SANS Institute is a great organization. I hope that this catches on and becomes a requirement like the MCSE or MCSD is for many companies.
Over the last 4 years, we've heard a lot from Microsoft in how they've revamped their development processes with regards to security. The delays in XP SP2, SQL Server 2005, even Vista, have been in large part to the stoppage of development in many areas to build more secure code. And it shows with SQL Server 2005, having no security issues in nearly 18 months since its release.
But what about sharing that knowledge? What about providing good, solid, secure programming examples? It's nice to see simple examples that showcase how a technology works, but the reality is that many people copy those examples. They use them in production code, forgetting to add all the additional validation that can prevent attacks.
And the same thing for speakers who present demos. I wrote about this before and I can appreciate that many of you don't want a bunch of error checking and validation to get in the way of what you're explaining, but too often people copy your example, not your production quality code.
If you write software, you should be an intelligent individual. Which means that you need to be able to see past the error handling, the validation, and other code that's really needed and focus on the specific code in a concept when it's being presented.
I'd love to see Microsoft really release some high quality code as examples, show us how to properly use the tools you've given us and build better applications for the future.
-
Amen, brother, preach on... 🙂
We all need to keep our code secure and I think we will be studying this subject when we retire! If a certification becomes available, maybe some really good training will start to become available as well.
Come to think of it, there may be good training available and I'm just not aware of it:-)
-
I have to agree with Steve that programmers are smart people and can see through the complexities of secure code to the example concept being demonstrated. Give us the truth, the whole truth, and nothing but the truth - we'll sort it out!
I heard a preacher one time say he was taught in seminary that he should always preach in such a way that an average sixth grader could understand every concept presented. He disagreed with that doctrine, saying that if he was in the pulpit, preaching his heart out, he felt he had a reasonable expectation that his audience would keep up!
He's right.
Load up the good code and we'll stop falling asleep in training and demos. Better, we'll get engaged, learn, apply, and propagate the good stuff!
But boss, why must the urgent always take precedence over the important? -
Even some simple things in presentations like not using SA would help. That is easy to avoid and doesn't complicate the demo.
Aunt Kathi Data Platform MVP
Author of Expert T-SQL Window Functions
Simple-Talk Editor -
I agree with Howard Johnson!!
Having once worked extensivly at Microsoft, and with the sql developers, It is always painfully obvious that the code that is presented in examples is half-assed at best. I always hear from the junior dba's "but thats how the example worked!" I have to remind them that at least 25% of all code is error checking, parameter validation, and debug statements. Once they are bitten by a difficult error to debug, they usually see the light.
-
Firstly, Microsoft DOES release gobs of high quality code, and has for years. Have you missed the Starter Kits that they have been publishing for years? So, the point that high quality, best practices code is unavailable is completely false.
Secondly, I do agree that demo examples that are overly simplistic and riddled with best practices violations do a disservice to the community. I'm currently working to get on with a company that teaches Sql 2005, and they made it clear that they want simplistic examples. (I'd prefer it the other way) Perhaps, once I get on-board, I might be able to make some headway in changing this perception. I think that it is absurd that most/all training sessions assume that you will take an extra step to rethink everything you were taught to incorporate in best practices into what they taught you before using the code in production. If security and best practices are that important, they should be used even in demos.
Warm Regards,Greg Wilsonsolidrockstable.com
-
A great idea, sure; but the problem is realy not in awareness in some cases, so much as expectations. No coder, no matter how intent on security, can guarantee the effort if the folks paying the bills want things yesterday at the lowest possible cost. Economics has tended to make security an almost impossible pursuit (same being true for bug-free software). If it was just about awareness then MS software wouldn't be so prone to security attacks (and I don't really mean to single them out, just to observe they have wads of resources and still can't secure anything effectively).
Another point to ponder. Almost all development is done on top a platform in the business world. Until those platforms are secure, the top layer of business wares are inherently insecure.
Nonetheless, it is a great thing to see someone finally starting to push educationa nd standard sin security at a practical level.
-
Hey Steve, it's off topic but you know the add *below* your editorial, for E2E Training? I would love to learn a 'mythology' to follow for my AS projects!
Hmm, would this make all my projects unreal or what? 
Steve.
-
I agree with Frank. Recently I worked for a company where the project managers were more concerned about time than efficiency and security. And surely the reason for such a philosophy was the budget.
-
Doh! I fixed the ad, so it's a methodology. Brian's teaching the class, so I expect the myths will be few and far between
The Start Kits are pretty good. We used a couple here at various times and they aren't bad as examples of how to proceed, but too often the high profile, widely distributed code examples on MSDN and TechNet are too simple.
-
Microsoft offers a free class in .NET development with many free books for writing secure code in most big cities, I attended the class in Houston twice. Here is the link for the free book download and online version in .NET 1.1 it is a very good free resource for anybody interested in .NET System.Cryptography code samples.
http://msdn2.microsoft.com/en-us/library/aa302415.aspx
Kind regards,
Gift Peddie -
If you're coding for .NET and you're not using Visual Studio 2005 then at least install FxCop!! If you're using VS2005 then make sure that you turn on Code Analysis in the project properties for every assembly that will be deployed to production!
Also, get into Unit Testing if you're not already. It won't cover anything you don't think of in advance but it will help you deliver quality code that behaves as expected. Whenever you think of another way your program could be abused, stop and write a Unit Test to make sure your code handles everything you do think of.
[font="Tahoma"]Bryant E. Byrd, BSSE MCDBA MCAD[/font]
Business Intelligence Administrator
MSBI Administration Blog
Viewing 12 posts - 1 through 11 (of 11 total)
You must be logged in to reply to this topic. Login to reply