Security Information Vulnerability Research Security Blog

The most secure code in the world

September 28th, 2005 by , Filed under: Commentary, Linux

I’m going to say some things, that might be the last thing I’ll ever be able to say (You’ll see why in the next paragraph :) ). Open source is as secure as much as the developers made it secure. It is not more secure then close source, and it’s not better then closed code. It’s merely code !

Most of the open source community (Hey I also develop open source tools and programs) try to sell us that Open = Secure. When Internet Explorer had a lot of security risks one after the other, firefox developers came and told us that in Open source it would have never happen. there are 10000000 (I must have missed few O :) ) eyes on the code so it’s can not be less secure, only more secure….

Ammm.. OK (I’m starting to look for a place to hide right about now :P )

The fact is, that for better, and more secure code, the first thing we have to do, is to educate people to think and be paranoid. Yeah! You can not trust any user input, any result of system function, and you must validate them over and over again.

You must check the input and see that it does not overflow the amount of memory you are willing to give your buffers.

You must sanitize (filter) any char you do not wish to see and have.
And escape anything that you must have, but may effect your program.

But wait, thats still does not give us secure programs and code, only start making us understand better the risks. For example, Off by one can happen to every one… specially after alcohol is involved :)

And what about the user control our function jumps (you know change hard coded our machine code of the program), or inject us with system functions of his like… We can sanitize the input we getting back form the function, but we can not control what happen on the function itself…

Or even bugs that we didn’t thought we had, and someone found them and exploit them. Or as Knuth one said: “I just proved that my claim is right, but I haven’t tested my code with a compiler” (I’m quoting from memory…)

But I just realize that thats not the thing I needed to start with… I should have said, that we are not educated to think in more secure manners. In high schools and universities we are taught to assume that the user input is somewhat correct, and all we need to do is focus on the functionality of the program.
We are also taught that there is only one “right” way to do thing and thats the professor way :)

So before every one starts jumping and accusing something to be more/less secure, lets start teaching people to do things in a more secure way… So how do we start ?

Share
  • Ryan Sommers

    I’d start by convincing corporations and other development companies that people with a little MIS experience from writing HTML and Visual Basic “Hello World” applications doesn’t count as “programming experience.” I’ve seen so many people get entry level development positions that barely know their way around a Windows machine let alone the inner workings of a processor or operating system and what makes one style of code better than another. Companies hiring programmers don’t seem to understand that there is a quality difference between the work of one good programmer and that of 10 bad ones.

  • http://www.whiteacid.org WhiteAcid

    I’m in no position to change what lecturers teach or to affect how I’d get hired, though it sounds like my prospects are quite good the way they are.

    Whenever a friend asks me to help code something I’ll help, and I’ll talk about (and usually implement) all the relevant security things (couldn’t think of a better word). Whenever I post anything in a forum or on my site I’ll at least say that they’ll have to verify the input and I’ll always use at least htmlentities() and mysql_escape_string() for them.

    Teach by example.
    Obviously finding a flaw on their site and telling them also is a nice ego boost.

  • http://c0d3r.org Kaveh Razavi

    people whose code are 90.00% trustworthy are limited to those who know how buggy codes could be abused , there is no 100% true coder while we are humans and humans meant to make problems !

    >We are also taught that there is only >one “right” way to do thing and thats the >professor way

    I really believe in this sentence deeply in my heart . why shouldnt we think and find the right way ourselves then someone experienced approve ?

  • http://CoraxNetworks.com P Davidson

    On the specific point of buffer and heap overruns, one could simply use a language other than C. This would elliminate most, if not all such problems. As well, it would reduce the pointer problems that account for 90% of debugging time.

  • Share







  • Categories


Security RSS Subscribe