Re: [tlug] The Peon's Guide to Secure System Development

[Josh Glover <jmglov@example.com>]

Quoth A. Sajjad Zaidi (Sun 2002-11-17 02:43:44PM +0900):
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Saw this on Bugtraq recently. Should be useful to both developers and
> admins:

Yup, I liked it so much when I saw it on BugTraq that I printed one out for
posterity. ;)

He makes some great points, but one problem I have with his urging people to
use "high-level languages" (to me, C[++] is a high-level language, but he
means Python, Java, et al.) is that a bug in one of those languages might
allow all systems written in that language to be compromised. Just as bugs in
[g]libc and GCC scare the shit out of us now, so will Python / Java bugs if
*everyone* takes this guy's advise.

Overall, his message is a very good one: start paying attention to security
when you code. Especially if you make that code publicly available.

I think his Java/Python statements come off a bit too magic-bullety.


-- 
Josh Glover <jmglov@example.com>

Associate Systems Administrator
INCOGEN, Inc.
http://www.incogen.com/

GPG keyID 0x62386967 (7479 1A7A 46E6 041D 67AE  2546 A867 DBB1 6238 6967)
gpg --keyserver pgp.mit.edu --recv-keys 62386967

Attachment: pgp00030.pgp
Description: PGP signature