Dark Reading on Secure Programming

Thomas Ptacek | July 9th, 2006 | Filed Under: Defenses, Industry Punditry, Uncategorized

We got picked up in Dark Reading again, this time in an article about secure programming, definitely one of our stomping grounds. Our inches:

“Time and time again, security software, written by security professionals, is found vulnerable to a dizzying array of attacks,” says [Thomas] Ptacek, a researcher with Matasano Security. “If security domain experts can’t get it right consistently, what hope do normal developers have, working under tight schedules with a myriad of other customer demands?”

In other words: if the OpenSSH guys can’t get it right from the start, what hope does anyone else have?

Interestingly, despite all its very public security woes, Microsoft has been a leader in the secure coding space, with its Trustworthy Computing initiative to shore up its coding practices, security experts say. “The security research community is increasingly recognizing Microsoft’s success here,” Ptacek says.

This meme has legs. Get used to it. You can clearly buy your way out of a security hole like the one Microsoft was in.

There’s at least one application that’s living proof of the secure coding concept. The Internet email server qmail, according to Matasano’s Ptacek, has never had a real vulnerability reported and it’s seven years old. “That’s an amazing accomplishment,” he says. “But it’s probably the exception that proves the rule” that software can be built with security from the ground up.

Yeah, yeah, there’s a hypothetical integer overflow in 64-bit qmail. Which kinda proves my point.

The rest of the article: Gary McGraw from Cigital says that training and static analysis tools are the solution to the secure coding problem. Meh. Training and static analysis tools are the solution to the stack overflow problem. Third-party testing is the solution to the application assurance problem. There is no solution to the secure programming problem.

David Pensak says, “The amount of code I still see that isn’t using the simplest error-checking to make sure input parameters are in the right range” is “unbelievable”. While I agree with the sentiment, I’m curious about what code Pensak might actually be looking at.