RE: [SC-L] Missing the point?

2004-04-21 Thread Michael A. Davis 
 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 While you are exactly right that developers write bad code, 
  we shouldn't leave the developers out in the cold and just 
 say You are the problem.
 Learn to write better code.  If there are code auditing and 

Ah, my original email wasn't verbose enough. I meant, as others have
pointed out, that there is no one solution but organizations must use
multiple solutions. Code audits won't save you and neither will only
educating developers. 

The point of my email was more of a vent because most people, and
media it seems, assume more and more technology is the answer to
security problems. Maybe we should focus more on the developer AND
give them the tools.

 We allow developers to have debuggers, right?  Why not let 
 them have code tools that scan for stupid errors like buffer 
 overflows in their code? It's just another tool in the 
 toolbox.  Great developers, like great artists, still must be 
 fluent with their tools.

I 100% agree but want to emphasize that developer education and tools
go hand in hand. If you only use one you are only solving part of the
problem.
 
Hope that clears up my initial email.

Thanks,
Michael A. Davis
Chief Executive Officer
Savid Technologies, Inc.
http://www.savidtech.com  

-BEGIN PGP SIGNATURE-
Version: PGP 8.0.3

iQA/AwUBQIWfXNo69WASbsMmEQJvYwCeLtX+ha9i+xmbQO1xirrEm15nOo4AoMc4
PRWw9Ft+6Og9UxmPlvzGQ3sT
=a2pT
-END PGP SIGNATURE-

Re: [SC-L] Missing the point?

2004-04-20 Thread Dave Aronson 
On Tue April 20 2004 12:34, Michael A. Davis wrote:

  It is not the source code that is the
  problem -- it is the developer.

The proof of the developer's grokking of secure coding, is in the code.

-- 
Dave Aronson, Senior Software Engineer, Secure Software Inc.
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
(Opinions above NOT those of securesw.com unless so stated!)
http://www.securesoftware.com is HIRING developers/auditors!

RE: [SC-L] Missing the point?

2004-04-20 Thread Alun Jones 
[EMAIL PROTECTED] wrote:
 Michael A. Davis wrote:
 Isn't she missing the point? It is not the source code that is the
 problem -- it is the developer.
 
 Well ofcause you can improve the quality of your code by
 educating your developers, but you cannot avoid doing code review.
 Developers are lazy and they will commit errors.

More to the point, they are human, and even developers that are not lazy
will occasionally make mistakes.  Simply finding a committed programmer who
understands security will not produce a secure product.

Alun.

-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | [EMAIL PROTECTED]
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.