Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-11-06 Thread mikeiscool
On 11/5/06, David Crocker <[EMAIL PROTECTED]> wrote:
> mikeiscool wrote:
>
> >>
> Don't go there, sister. Come up with some reasonable tests before making a
> statement like that. "Assembly code can be as much as a million times faster
> then the run time of a C++ version of the same algorithm." Bit useless, isn't
> it?
> <<
>
> I would not have made the statement I did had the tests not been done and
> provided very clear results. I am not at liberty to go into details of the 
> tests
> I have been involved with, however if you Google for e.g. "C++ C# 
> performance",
> you will see that other people are getting similar results.

Right, so again your statement is useless without numbers and tests we
can perform ourselves. You made the statement, so you either have to
prove it or let it slide.

-- mic
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-11-05 Thread mikeiscool
On 10/28/06, David Crocker <[EMAIL PROTECTED]> wrote:
> Crispin Cowan wrote:
>
> >>
> For me, the enemy in the room is C++. It gives you the safety of C with the
> performance of SmallTalk. There is no excuse at all to be writing anything in
> C++ yet vastly too many applications are written in C++ anyway. Instead of
> trying to coax developers to switch from C++ to something "weird" like SML, 
> lets
> encourage them to switch to Java or C#, which are closer to their experience.
> <<
>
> Unfortunately, there are at least two situations in which C++ is a more 
> suitable
> alternative to Java and C#:
>
> - Where performance is critical. Run time of C# code (using the faster .NET 
> 2.0
> runtime) can be as much as double the run time of a C++ version of the same
> algorithm. Try telling a large company that it must double the size of its
> compute farms so you can switch to a "better" programming language!

Don't go there, sister. Come up with some reasonable tests before
making a statement like that. "Assembly code can be as much as a
million times faster then the run time of a C++ version of the same
algorithm." Bit useless, isn't it?

Lets not forget that writing faster/more optimised code in c++ will be
more complex and hence allow room for more errors then letting the
c#/java runtime optimiser do the dirty work for us.


> However, I suspect that most security-critical programs do not fall into 
> either
> of these categories,

What? Cryptography rings a bell ...


> so C# or Java would indeed be a better choice than C++ for
> those programs.
>
> David Crocker, Escher Technologies Ltd.
> Consultancy, contracting and tools for dependable software development
> www.eschertech.com

-- mic
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-11-05 Thread David Crocker
mikeiscool wrote:

>>
Don't go there, sister. Come up with some reasonable tests before making a
statement like that. "Assembly code can be as much as a million times faster
then the run time of a C++ version of the same algorithm." Bit useless, isn't
it?
<<

I would not have made the statement I did had the tests not been done and
provided very clear results. I am not at liberty to go into details of the tests
I have been involved with, however if you Google for e.g. "C++ C# performance",
you will see that other people are getting similar results.

>>
Lets not forget that writing faster/more optimised code in c++ will be more
complex and hence allow room for more errors then letting the c#/java runtime
optimiser do the dirty work for us.
<<

C++ offers much more room for errors than C# or Java, and not just in memory
management. If you re-read my comment, you will realise that I was not promoting
C++ as being a better language than C#, just pointing out that there are some
situations in which the replacement of C++ by C# is not yet feasible, such as
where a performance reduction of around 30% to 50% cannot be accepted. It is to
be hoped that as JIT compiler technology continues to improve, the performance
gap will be further reduced.

David Crocker, Escher Technologies Ltd.
Consultancy, contracting and tools for dependable software development
www.eschertech.com




-Original Message-
From: mikeiscool [mailto:[EMAIL PROTECTED] 
Sent: 05 November 2006 02:19
To: David Crocker
Cc: Secure Coding
Subject: Re: [SC-L] re-writing college books [was: Re: A banner year for
software bugs | Tech News on ZDNet]


On 10/28/06, David Crocker <[EMAIL PROTECTED]> wrote:
> Crispin Cowan wrote:
>
> >>
> For me, the enemy in the room is C++. It gives you the safety of C 
> with the performance of SmallTalk. There is no excuse at all to be 
> writing anything in
> C++ yet vastly too many applications are written in C++ anyway. 
> C++ Instead of
> trying to coax developers to switch from C++ to something "weird" like 
> SML, lets encourage them to switch to Java or C#, which are closer to 
> their experience. <<
>
> Unfortunately, there are at least two situations in which C++ is a 
> more suitable alternative to Java and C#:
>
> - Where performance is critical. Run time of C# code (using the faster 
> .NET 2.0
> runtime) can be as much as double the run time of a C++ version of the same
> algorithm. Try telling a large company that it must double the size of its
> compute farms so you can switch to a "better" programming language!

Don't go there, sister. Come up with some reasonable tests before making a
statement like that. "Assembly code can be as much as a million times faster
then the run time of a C++ version of the same algorithm." Bit useless, isn't
it?

Lets not forget that writing faster/more optimised code in c++ will be more
complex and hence allow room for more errors then letting the c#/java runtime
optimiser do the dirty work for us.


> However, I suspect that most security-critical programs do not fall 
> into either of these categories,

What? Cryptography rings a bell ...


> so C# or Java would indeed be a better choice than C++ for those 
> programs.
>
> David Crocker, Escher Technologies Ltd.
> Consultancy, contracting and tools for dependable software development 
> www.eschertech.com

-- mic


___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-11-04 Thread David Crocker
Crispin,

It is most certainly true that C++ can be appropriate in those cases. C++
programs can perform just as well as C programs, while also being much better
structured. Of course, it will be necessary to avoid performing frequent
allocation and deallocation of heap memory in the C++ program - but the same is
true of C programs. Poorly-performing programs can be written in either
language.

David Crocker, Escher Technologies Ltd.
Consultancy, contracting and tools for dependable software development
www.eschertech.com



-Original Message-
From: Crispin Cowan [mailto:[EMAIL PROTECTED] 
Sent: 03 November 2006 04:46
To: David Crocker
Cc: 'Secure Coding'
Subject: Re: [SC-L] re-writing college books [was: Re: A banner year for
software bugs | Tech News on ZDNet]


David Crocker wrote:
> Unfortunately, there are at least two situations in which C++ is a 
> more suitable alternative to Java and C#:
>
> - Where performance is critical. Run time of C# code (using the faster 
> .NET 2.0
> runtime) can be as much as double the run time of a C++ version of the same
> algorithm. Try telling a large company that it must double the size of its
> compute farms so you can switch to a "better" programming language!
>
> - In hard real-time applications where garbage collection pauses 
> cannot be tolerated.
>   
Except that in both of those cases, C++ is not appropriate either. That is a
case for C.

Crispin

-- 
Crispin Cowan, Ph.D.  http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com
 Hack: adroit engineering solution to an unanticipated problem
 Hacker: one who is adroit at pounding round pegs into square holes

___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-11-03 Thread Crispin Cowan
David Crocker wrote:
> Unfortunately, there are at least two situations in which C++ is a more 
> suitable
> alternative to Java and C#:
>
> - Where performance is critical. Run time of C# code (using the faster .NET 
> 2.0
> runtime) can be as much as double the run time of a C++ version of the same
> algorithm. Try telling a large company that it must double the size of its
> compute farms so you can switch to a "better" programming language!
>
> - In hard real-time applications where garbage collection pauses cannot be
> tolerated.
>   
Except that in both of those cases, C++ is not appropriate either. That
is a case for C.

Crispin

-- 
Crispin Cowan, Ph.D.  http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com
 Hack: adroit engineering solution to an unanticipated problem
 Hacker: one who is adroit at pounding round pegs into square holes

___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-29 Thread David Crocker
Crispin Cowan wrote:

>>
For me, the enemy in the room is C++. It gives you the safety of C with the
performance of SmallTalk. There is no excuse at all to be writing anything in
C++ yet vastly too many applications are written in C++ anyway. Instead of
trying to coax developers to switch from C++ to something "weird" like SML, lets
encourage them to switch to Java or C#, which are closer to their experience.
<<

Unfortunately, there are at least two situations in which C++ is a more suitable
alternative to Java and C#:

- Where performance is critical. Run time of C# code (using the faster .NET 2.0
runtime) can be as much as double the run time of a C++ version of the same
algorithm. Try telling a large company that it must double the size of its
compute farms so you can switch to a "better" programming language!

- In hard real-time applications where garbage collection pauses cannot be
tolerated.

However, I suspect that most security-critical programs do not fall into either
of these categories, so C# or Java would indeed be a better choice than C++ for
those programs.

David Crocker, Escher Technologies Ltd.
Consultancy, contracting and tools for dependable software development
www.eschertech.com



___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-27 Thread Crispin Cowan
Gergely Buday wrote:
> Larry Kilgallen wrote:
>   
>> Is there participation on this list from the (hopefully larger number of)
>> CMU instructors who are teaching people to use safer languages in the first
>> place ?
>> 
> May anybody not from CMU enter the discussion about safer languages? ;-)
>
> I'm in favor of SML, as it has a number of implementations (some of
> them comparable to C in speed)  and a formal definition ("well-typed
> programs do not go wrong") + a standard library.
>   
SML is a nice & clean type safe language, and I don't mean to criticize
it. However, if the goal is to be ale to use industry-popular languages
that are safe, it seems to me that we have entered a bright new phase of
history. Python, Ruby, Java, and C# are all broadly popular in industry,
and are all type safe. Java and C# are statically type safe. So why not
use them?

For me, the enemy in the room is C++. It gives you the safety of C with
the performance of SmallTalk. There is no excuse at all to be writing
anything in C++ yet vastly too many applications are written in C++
anyway. Instead of trying to coax developers to switch from C++ to
something "weird" like SML, lets encourage them to switch to Java or C#,
which are closer to their experience.

Sure, there are likely to be ways in which SML is better than C# or
Java. However, in security, the perfect is all to often the enemy of the
good-enough. The big community hears security people talk about the high
security approach that security geeks really want, consider the costs,
and go back to doing things the old way, and ignore the security people.
If security people instead pitch something that is feasible and makes
the situation better, instead of asking for the moon, we will make more
progress.

Crispin

-- 
Crispin Cowan, Ph.D.  http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com
 Hack: adroit engineering solution to an unanticipated problem
 Hacker: one who is adroit at pounding round pegs into square holes


___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-20 Thread Gergely Buday
Larry Kilgallen wrote:

> Is there participation on this list from the (hopefully larger number of)
> CMU instructors who are teaching people to use safer languages in the first
> place ?

May anybody not from CMU enter the discussion about safer languages? ;-)

I'm in favor of SML, as it has a number of implementations (some of
them comparable to C in speed)  and a formal definition ("well-typed
programs do not go wrong") + a standard library.

But I do see it's hard to push it in industry. Managers like "industry
best practice" so that they need not take risk. Or, better say, they
take the risks everybody else takes just probably are not aware of
this.

>From the human resources point of view it's not that easy to find
experienced sml programmers as there are very few companies who employ
such creatures. Vicious circle, you know.

Regarding the programming environment and libraries: it's just not a
research act to develop such things for sml anymore, so academics will
not pursue it. I've heard of an NSF infrastructure grant to develop
eclipse plugin for sml, though. Industry has not catched upon yet, nor
the OSS community.

And, just as an aside: I've heard a story that some cs celebrity
(Dijkstra?) once coined some conditions for a programming language to
be successful. The last clause was "IBM should love it". Yep, we've
seen this with Java. Anybody from IBM?

- Gergely
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-17 Thread ljknews
At 12:11 PM -0400 10/13/06, James Walden wrote:

> you really have to use C because it's the only thing that will do,

That seems extremely improbable.
-- 
Larry Kilgallen
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-15 Thread Craig E. Ward
At 9:02 PM +1000 10/13/06, mikeiscool wrote:
>On 10/13/06, Craig E. Ward <[EMAIL PROTECTED]> wrote:
>>At 10:03 AM -0400 10/12/06, ljknews wrote:
>>>At 9:20 AM -0400 10/12/06, Robert C. Seacord wrote:
>>>
   I'm also teaching a course at CMU in the spring on Secure Coding in C
   and C++.
>>>
>>>Is there participation on this list from the (hopefully larger number of)
>>>CMU instructors who are teaching people to use safer languages in the first
>>>place ?
>>>--
>>>Larry Kilgallen
>>
>>
>>I don't think saying "use safer languages" is a good way to say it.
>>It would help conditions significantly if greater care were taken to
>>match the choice of programming language to the problem to be solved
>>or application to be created. If a language like C is most
>>appropriate, then use it, just be sure to take the extra steps needed
>>to develop it securely.
>>
>>The problem is so much the programming languages as it is the way
>>they are used.
>
>Well, programming languages can go a long way to helping solve the
>problem, and it can be reasonably grey as to where to use what. Should
>I use php or ror? or python? or c#? I'd say there is a very
>appropriate and open space for nice "secure" languages to live and
>develop.

I think that's what I was trying to say. The last sentence of my note 
has an error. I meant to write "The problem is not so much the 
programming languages as it is the way they are used."

Sorry for the bad proof reading.

Also, in the IEEE Software July/August 2006 issue in the "Tools of 
the Trade" department, Diomidis Spinellis discusses several factors 
to consider when selecting a programming language for a particular 
project. Those plus security make for some reasonable criteria to use.

Craig
-- 
Internet: [EMAIL PROTECTED]
"If a program has not been specified, it cannot be incorrect; it can 
only be surprising." (Young, Boebert, and Kain)
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-15 Thread James Walden
On 10/12/06, Craig E. Ward <[EMAIL PROTECTED]> wrote:
I don't think saying "use safer languages" is a good way to say it.It would help conditions significantly if greater care were taken tomatch the choice of programming language to the problem to be solved
or application to be created. If a language like C is mostappropriate, then use it, just be sure to take the extra steps neededto develop it securely.I agree that the programming language should be chosen to match the problem, though it's worth pointing out that security is typically part of the problem to be solved.  There are safer systems programming languages than C, such as D and Cyclone.  If you've considered the alternatives and you really have to use C because it's the only thing that will do, then yes, use it and be sure to use it securely and verify that fact with static analysis tools and code reviews.
 James
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-13 Thread mikeiscool
On 10/13/06, Craig E. Ward <[EMAIL PROTECTED]> wrote:
> At 10:03 AM -0400 10/12/06, ljknews wrote:
> >At 9:20 AM -0400 10/12/06, Robert C. Seacord wrote:
> >
> >>  I'm also teaching a course at CMU in the spring on Secure Coding in C
> >>  and C++.
> >
> >Is there participation on this list from the (hopefully larger number of)
> >CMU instructors who are teaching people to use safer languages in the first
> >place ?
> >--
> >Larry Kilgallen
>
>
> I don't think saying "use safer languages" is a good way to say it.
> It would help conditions significantly if greater care were taken to
> match the choice of programming language to the problem to be solved
> or application to be created. If a language like C is most
> appropriate, then use it, just be sure to take the extra steps needed
> to develop it securely.
>
> The problem is so much the programming languages as it is the way
> they are used.

Well, programming languages can go a long way to helping solve the
problem, and it can be reasonably grey as to where to use what. Should
I use php or ror? or python? or c#? I'd say there is a very
appropriate and open space for nice "secure" languages to live and
develop.


> Craig

-- mic
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-13 Thread Craig E. Ward
At 10:03 AM -0400 10/12/06, ljknews wrote:
>At 9:20 AM -0400 10/12/06, Robert C. Seacord wrote:
>
>>  I'm also teaching a course at CMU in the spring on Secure Coding in C
>>  and C++.
>
>Is there participation on this list from the (hopefully larger number of)
>CMU instructors who are teaching people to use safer languages in the first
>place ?
>--
>Larry Kilgallen


I don't think saying "use safer languages" is a good way to say it. 
It would help conditions significantly if greater care were taken to 
match the choice of programming language to the problem to be solved 
or application to be created. If a language like C is most 
appropriate, then use it, just be sure to take the extra steps needed 
to develop it securely.

The problem is so much the programming languages as it is the way 
they are used.

Craig
-- 
Internet: [EMAIL PROTECTED]
"If a program has not been specified, it cannot be incorrect; it can 
only be surprising." (Young, Boebert, and Kain)
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-12 Thread ljknews
At 9:20 AM -0400 10/12/06, Robert C. Seacord wrote:

> I'm also teaching a course at CMU in the spring on Secure Coding in C
> and C++.

Is there participation on this list from the (hopefully larger number of)
CMU instructors who are teaching people to use safer languages in the first
place ?
-- 
Larry Kilgallen
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-12 Thread Robert C. Seacord

Gadi,

I sort of agree with mic that the problem is poor programming.  My last
manager liked to pick up C text books at random and point out all the
vulnerabilities in the code examples that are being used to teach the
next generation of programmers (how to write vulnerabilities).

> This community is perfect for this job.

If the community is bored right now ;^) we are looking for community
help to build up our knowledge of secure coding rules and
recommendations for the C and C++ programming languages:

www.securecoding.cert.org

I'm also teaching a course at CMU in the spring on Secure Coding in C
and C++.  I'm hoping to take this material and incorporate it into the
course.  Once I get some experience teaching the material, I could help
turn it into a college text.  (I've written three books already, so I'm
a proven threat. 8^)

Thanks,
rCs


-- 
Robert C. Seacord
Senior Vulnerability Analyst
CERT/CC

Work: 412-268-7608
FAX: 412-268-6989
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-12 Thread mikeiscool
On 10/12/06, Gadi Evron <[EMAIL PROTECTED]> wrote:
> So, how can we edit current basic programming college books to present
> secure code, a couple of words of the correct way of doing things, and a
> whole new chapter on secure coding (which may be redudndent?)
>
> How do we start?
>
> Some Whiley book for introduction to CS?
>
> Any volunteers to get this on the road?

Secure programming is good programming. Most books teach good
programming. People just don't care.


> Gadi.

-- mic
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-12 Thread Gary McGraw
We're working on it!  The problem is not simply a book.

gem

 -Original Message-
From:   Gadi Evron [mailto:[EMAIL PROTECTED]
Sent:   Wed Oct 11 20:58:12 2006
To: Kenneth Van Wyk
Cc: Secure Coding
Subject:    [SC-L] re-writing college books [was: Re: A banner year for 
software bugs | Tech News on ZDNet]

So, how can we edit current basic programming college books to present
secure code, a couple of words of the correct way of doing things, and a
whole new chapter on secure coding (which may be redudndent?)

How do we start?

Some Whiley book for introduction to CS?

Any volunteers to get this on the road?

Gadi.

On Wed, 11 Oct 2006, Kenneth Van Wyk wrote:

> So here's a lovely statistic for the software community to hang its  
> hat on:
> 
> http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed
> 
> Among other things, the article says, "Atlanta-based ISS, which is  
> being acquired by IBM, predicts there will be a 41 percent increase  
> in confirmed security faults in software compared with 2005. That  
> year, in its own turn, saw a 37 percent rise over 2004."
> 
> Of course, the real losers in this are the software users, who have  
> to deal with the never ending onslaught of bugs and patches from  
> their vendors.  We've just _got_ to do better, IMHO, and automating  
> the patch process is not the answer.
> 
> Cheers,
> 
> Ken
> -
> Kenneth R. van Wyk
> KRvW Associates, LLC
> http://www.KRvW.com
> 
> 
> 
> 
> 

___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php





This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.


___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-12 Thread Gadi Evron
On Wed, 11 Oct 2006, Gary McGraw wrote:
> We're working on it!  The problem is not simply a book.

Great! What are you guys doing? What more can be done? There are quite a
few of us willing to help, and I figure, starting with the books future
programmers learn from is not a bad idea.

This community is perfect for this job.

Gadi.

> 
> gem
> 
>  -Original Message-
> From: Gadi Evron [mailto:[EMAIL PROTECTED]
> Sent: Wed Oct 11 20:58:12 2006
> To:   Kenneth Van Wyk
> Cc:   Secure Coding
> Subject:      [SC-L] re-writing college books [was: Re: A banner year for 
> software bugs | Tech News on ZDNet]
> 
> So, how can we edit current basic programming college books to present
> secure code, a couple of words of the correct way of doing things, and a
> whole new chapter on secure coding (which may be redudndent?)
> 
> How do we start?
> 
> Some Whiley book for introduction to CS?
> 
> Any volunteers to get this on the road?
> 
>   Gadi.
> 
> On Wed, 11 Oct 2006, Kenneth Van Wyk wrote:
> 
> > So here's a lovely statistic for the software community to hang its  
> > hat on:
> > 
> > http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed
> > 
> > Among other things, the article says, "Atlanta-based ISS, which is  
> > being acquired by IBM, predicts there will be a 41 percent increase  
> > in confirmed security faults in software compared with 2005. That  
> > year, in its own turn, saw a 37 percent rise over 2004."
> > 
> > Of course, the real losers in this are the software users, who have  
> > to deal with the never ending onslaught of bugs and patches from  
> > their vendors.  We've just _got_ to do better, IMHO, and automating  
> > the patch process is not the answer.
> > 
> > Cheers,
> > 
> > Ken
> > -
> > Kenneth R. van Wyk
> > KRvW Associates, LLC
> > http://www.KRvW.com
> > 
> > 
> > 
> > 
> > 
> 
> ___
> Secure Coding mailing list (SC-L)
> SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> 
> 
> 
> 
> 
> This electronic message transmission contains information that may be
> confidential or privileged.  The information contained herein is intended
> solely for the recipient and use by any other party is not authorized.  If
> you are not the intended recipient (or otherwise authorized to receive this
> message by the intended recipient), any disclosure, copying, distribution or
> use of the contents of the information is prohibited.  If you have received
> this electronic message transmission in error, please contact the sender by
> reply email and delete all copies of this message.  Cigital, Inc. accepts no
> responsibility for any loss or damage resulting directly or indirectly from
> the use of this email or its contents.
> Thank You.
> 
> 

___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-11 Thread Gadi Evron
So, how can we edit current basic programming college books to present
secure code, a couple of words of the correct way of doing things, and a
whole new chapter on secure coding (which may be redudndent?)

How do we start?

Some Whiley book for introduction to CS?

Any volunteers to get this on the road?

Gadi.

On Wed, 11 Oct 2006, Kenneth Van Wyk wrote:

> So here's a lovely statistic for the software community to hang its  
> hat on:
> 
> http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed
> 
> Among other things, the article says, "Atlanta-based ISS, which is  
> being acquired by IBM, predicts there will be a 41 percent increase  
> in confirmed security faults in software compared with 2005. That  
> year, in its own turn, saw a 37 percent rise over 2004."
> 
> Of course, the real losers in this are the software users, who have  
> to deal with the never ending onslaught of bugs and patches from  
> their vendors.  We've just _got_ to do better, IMHO, and automating  
> the patch process is not the answer.
> 
> Cheers,
> 
> Ken
> -
> Kenneth R. van Wyk
> KRvW Associates, LLC
> http://www.KRvW.com
> 
> 
> 
> 
> 

___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php