Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Learning securityKevin M. Myer (myerELANCO.K12.PA.US)
Mon, 14 Dec 1998 11:17:12 -0500
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Vern Paxson: "Re: about the ip header id"
- Previous message: Salvatore Sanfilippo: "about the ip header id"
Hello, This post may come across as off-topic but it remains an unanswered question in my mind. I've been a member of the BUGTRAQ list for the better part of 1998 and have learned much about UNIX (et. al) security from it. However, one post by mudgel0pth.com, talked about how insecure some of the supposed security packages are these days and it got me to wondering - where do they teach programmers security? I am not a programmer - I don't even have a formal education in computers or network or information technology. I have a degree in geology and I gained my UNIX experience from the workstations I used for research. I took one introductory comp-sci course, programming in C. However, I am wondering if the rash of buffer overflows, sloppily coded programs or just generally flawed algorithms or ideas for security are because programmers don't KNOW any better. Why do we ever here reports of files that are installed world readable/writeable? Why doesn't every programmer check the length of a string and do something appropriate if its longer than a buffer assigned for it? Why do we keep revisiting the same mistakes over and over again, only rolled in a slightly different fashion? I guess my real question is - where is secure and good coding being taught? Is there a book I can get that has a list of pitfalls to avoid when I program? Are there any such courses available in colleges on a wide-scale basis? Or is computer security bound to remain something that a handful of experts knows anything about and they learned it the hard way, by hacking around a system? I know thats how I've picked up what I've learned so far and thats the best teacher as far as I'm concerned. And I know Dennis Ritchie once was quoted as saying that UNIX wasn't desiged with security in mind. But you'd think somewhere, we'd learn something about programming and that the buffer overflow, for example, would be a thing of the past. Just wondering - like I said, I'm no expert on any of this. I just know enough to wonder why. Kevin -- Kevin M. Myer Technical Services Specialist ELANCO School District