Blue Boar wrote:
To clarify, I'm talking about things like passing unfiltered user input
to a system shell, or a native API, something like that.
True. In the case of passing a user input string to the shell or a database
server, you're accepting what's potential a program as input. However,
At 8:10 PM -0400 6/29/04, James Walden wrote:
While there are non-university classes and workshops that teach software security, I
doubt that a majority of developers have attended even one such class. Software
security has to be integrated into the CS curriculum before we can expect a
Gee, Some of us have been saying that for 40 years.
James Walden wrote:
I'd like to open a discussion based on this quote from Marcus Ranum's
ACM Queue article entitled Security: The root of the problem:
Thanks. I also read Marcus's article with interest. Caveat: clearly, I
have a biased outlook, since software security training is one of the
Kenneth R. van Wyk wrote:
Overall, I like and agree with much of what Marcus said in the article.
I don't, however, believe that we can count on completely putting
security below the radar for developers. Having strong languages,
compilers, and run-time environments that actively look out for
If the state of the art in automobile design had progressed as fast as the
state of the art of secure programming - we'd all still be driving Model
T's.
Consider-
- System Development Methods have not solved the (security) problem -
though we've certainly gone through lots of them.
-