Not sure if it is OT or not, but put one there just to be safe. I'm posting
this because it could have been written by Wirt, Alfredo or any other number
of people on this list. The short version: less is more. This is true in
so many aspects of life and no less true in software development.
From:
http://computerworld.com/securitytopics/security/story/0,10801,73346,00.html
Expert: Simplicity is key to keeping code secure
By Ashlee Vance, IDG News Service
AUGUST 09, 2002
SAN FRANCISCO -- When it comes to writing secure code, less is more.
That was the advice passed down yesterday by security expert Paul Kocher,
president of Cryptography Research Inc., who told the Usenix Security
Symposium here that more powerful computer systems and increasingly complex
code will be a growing cause of insecure networks.
Huge chunks of software such as Microsoft Corp.'s Windows operating systems
that have myriad features built in to take advantage of fast processors will
perpetually have more flaws than security experts are able to uncover, he
said. For this reason, programmers and companies should keep simplicity in
mind when writing applications and build in only those tools that appeal to
80% or more of users.
"The problem that we have is that we are getting these great performance
improvements, which lead to increases in complexity, and I am not getting
any smarter," Kocher said. "But it's not just me. I don't think you guys are
getting smarter, either."
Increased processor speeds tempt developers to create code that can take
advantage of the extra horsepower. This leads to software like Windows or
the Linux operating system growing over time. Every time the number of lines
of code is doubled, a company adds four times as many security problems,
which makes this trend of bigger, more feature-rich applications daunting to
security experts, Kocher said.
Compounding the complexity problem is a lack of trained security
professionals able to detect bugs. "There aren't enough people learning
security, and it's getting harder to learn it," Kocher said.
In addition, the number of computing devices and users connected to the
network is escalating rapidly, which leads to more financial transactions
being conducted online. A greater number of Internet-based transactions
means financial institutions are increasingly dependent on computers,
instead of humans, for analysis. That reliance only exacerbates the problem
of insecure software, he said.
Despite these challenges, there are strategies that companies can use to
help secure their software, according to Kocher.
Keep development teams small. Fewer programmers leads to more focused and
careful planning for an application and places a cap on the number of cool
features developers want to add in.
Make modular applications a top priority. Building software that can be
linked together, instead of creating one giant application, allows errors to
be isolated and companies to reduce the risk of an entire program being
afflicted by a bug.
Spend time and money on fixing security early in the software development
process. It's not enough to reach the end of a project and then begin
checking for security holes.
Think creatively in your design. Good hackers will try to find new and
interesting ways to assault a network.
Be humble. Developers need to realize they will make mistakes and need to
look out for them instead of blindly trusting their code.
Work on educating others. College students, for example, could be encouraged
to find ways to attack mock networks.
With these tips in mind, companies should be able to build better, more
secure software, but the overall problem of increased complexity poses
challenges that Kocher isn't sure can be overcome.
"Today, nobody has any clue what is running on their computer," he said.
"The complexity curve has passed us."
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
