Secure Coding Secrets?

re: Secure Coding Secrets?

asteingruebl — Wed, 19 Nov 2008 20:07:27 GMT

Michael,

The premise behind the programming paradigms and languages espoused by the Praxis folks (SPARK, Correctness by Construction) is that to achieve the assurance required for certain classes of applications (Flight control systems, automated train controls, etc) only these techniques will work.

I think we continue to delude ourselves that our current programming practices are going to get us where we need to go from an assurance standpoint.

None of this of course excuses all of the dependencies this component has on weak elements of the overall system. You're obviously spot on there.

Imagine you were strictly liable for all security defects in Windows, and it was a different economic equation than it is today. What elements of the SDL and software development at Microsoft do you think you'd need to change to get to that higher assurance?

re: Secure Coding Secrets?

sdl — Mon, 01 Dec 2008 21:16:53 GMT

the background of SPARK is clearly for building high assurance solutions for military etc etc, but the article declares that this can all work for classic COTS stuff which is often way more complex and general purpose. So that's why I wrote the article, I don't think it can be done because the demonstration didn't show it can be done. call me cynical :)

re: Secure Coding Secrets?

systemofsystems — Fri, 05 Dec 2008 03:39:29 GMT

PingBack from http://systemofsystems.wordpress.com/2008/11/28/short-term-memory/

"Imagine an SDLC where programmers don’t have to know how to write secure code, or even patch vulnerable code for that matter."

MSDN FLASH IRELAND - INTERNATIONAL RESOURCES - 18 DECEMBER 2008

Microsoft Ireland Blog — Thu, 18 Dec 2008 22:05:44 GMT

a {color : #0033CC;} a:link {color: #0033CC;} a:visited.local {color: #0033CC;} a:visited {color : #800080;}