|
|
|
Security Onus Is on Developers
By: Peter Coffee
2006-06-12
Article Rating: / 0
There are 0 user comments on this Application Development story.
Security Onus Is on Developers (
Page 1 of 2 ) JavaOne panelists say technology and admission of fallibility are crucial to robust code.During last months JavaOne Conference in San Francisco, Fortify Software convened a panel to discuss the role of application developers in software security and the need for appropriate development technology, without which genuine security is impossible to achieve.
Invited expert panelists were Gary McGraw, chief technology officer of Cigital, of Dulles, Va., and a widely read author on this subject; Bill Pugh, professor of computer science at the University of Maryland in College Park, Md.; David Wagner, professor of computer science at the University of California at Berkeley; and Bill Joy, co-founder of Sun Microsystems, of Santa Clara, Calif., and a partner in Kleiner Perkins Caufield & Byers, of Menlo Park, Calif.
The opening statements of these experts are shared here, and more of their subsequent discussion and their Q&A interaction with the invitation-only audience is linked from the eWEEK blogs.
That link can be readily found in the June 12 entry titled "Notes from Fortifys security panel at JavaOne" in the Archives section at blog.eweek.com/petercoffee.
Gary McGraw
Java is good because its type-safe. A lot of people that use Java may not even be aware of that, but the fact that theyre using it is very important and good.
The problems that we see in software security—from a technical perspective—often are related to the programming language C, which is kind of a disaster from the security perspective. Java did a lot to clean up the mess and make things a little bit more comprehensible.
But software security is about two kinds of problems: bugs and flaws. Its important to think about both. When youre working with Java, youll have fewer problems with bugs because of type safety, and youll have more cycles to spend thinking about architecture and about building in security from an architectural perspective.
Bill Pugh
A lot of people think that errors and defects and stupid mistakes are things that the "lesser programmers" make. One of the things that Ive found is that tools find insanely embarrassing bugs, written in production code, by some of the very best programmers I know.
People start thinking, "Because we have smart employees, we have a good development process; were not going to have stupid bugs." But no. Everybody, every process, every person makes stupid mistakes. It just happens. The question is, What do you do to find and eliminate your stupid mistakes after they occur? Because theyre going to occur.
Next Page: Losing a battle, catching mistakes.
|
|
�������x}ks8q�8c�H)ْcؖRԭҡHH"$eG3wu��_zВ��9q*G�ht7�F;�?{{~$rɅkmJ9;D�{{}.Ї}oS�/92t=z#�m��)>M3ة��5�w�5Gl&r{'A�t=NN5��%�j'A]kc{F}_2z5o0�f��E1;F��6I��M9�J��D}9�K;;$?*B�e�MGa�oF
�w*�7�,
�T%h�!�G�Qes?;z'�=�i@a5w0NKg8$C5n�CQ��eKV�6^�;�s9Fȹ�׳�z$fRvn8Gd jI:*�`iTi11܋�]Lч(�@oڮ�S.PVfFԲ;g�uGg�cGMҳ�GCL�H��6=~0[��Q�M�+�.l5ZJP0'C8:)X̠�e[7G0ml_j|��uvs<$s~3 j�d��1KU
o�z�cn�K p==\'��xtTa_�eY7;�Ͱ-6@6#M-jZUQ
b�kG{Q>o9{ۖ3bR;}k7?;Wʪ)Jw9ʑ�GA
�n�p[J�^V\w{>~j��r ����o%&�W J�DTRBh$"���Pc@GNj${@B��oVQ+ZV�H+(H.##I-LcyO`%�pbQUri�[}o__]wzmo�_wڧH>߈ekby
1�=�b Jw3Bz���7Ke{#kjꜴ{H
ݹGtHM��Wh:w -Nկ7#>kxej;d�Pp9LwjT{$�Zݓ6�Py$Y)r"8_��C�J�ݖeL_ȻX__�G)H̛cM�|`Ip6M2X��c��]N�S��jVm&T7o`�H�2� S��Ks뮞;�j�\K}0�[=RFp &�\� ��a�C\ش�6�,%��hJ@d$e��$�}ВYtBF(0
.)J�""xN3�qE�K�H�@!=F!8�N��#8U%Kus7p@WMCrNTʊ0Sr{gH
n�uƍv"e.ڽ^C�8^$glh|�*$]ezr�cZ�ԷW�J��dzTJMU~
X8ʕ�??1n!SG�ñA�3&M:vٗ`:A!0h�
vz?�Oiͧ8Ԑ�'��Q�}Q�ޣ8�ݘX���I70i�\�;���G~N unY҇@�&!1ԟsZ
TP"AЂNz>t�T�;�]|�2��Zw�9ܻ-,&w��zA
�JC�͋�F����6��x���BeV~�}�̢�Ps݀�ܧ�}-�bMAjweC���97(_fԁ!~9.b�&�A/�tKt(�.5e+:O̗�HڶES�R�Bo+څP��!_.dI�_fMb�tȌ}>I!VF!3OH sf@nmhIJ:�#7��4�)��zz�%J�ݼ^`��;{q%%Aw
�-�U檱�@4l*�Y+fM�EI��J�ەi]jk-�T8�W�7�Bʶb/Xa`ѩE]QZJKPD@BR)i�
iY�)^(yt�NJIע-Mf�����X5m���,oU�'G&,mk5Z��a�5sv@6��d@��h�`L �DolvCbx5�^z'��<> 7�=`kqu+ ?;�ӣ(!�c�(L>AӰ�H��ZU�ggm1L0L8`�T�lb8l�[b�?xlu�j 1ՃE�4Ǣ\R
�~D�[�d"�vd6˰A�m��g#�Oa+,HҜЦȅ�@s@M~��N!3pPQ@1�"N�Ou/�+/OY�.# ��{��o`"12l�3u�/.ft|pݱM% i�4Q,(J9A�)` L] TC���%@#P-Wб"FaK�鬡aKUѫSOm{hC��y-h\>,*�8~Ö'"!1|ڣ��s�3R*rW+ T|�;fjZ(T+16UT9*J�7;�~~{ ��F
�� .b_~62Msg67��3�Tx+}x�eT8e���1_0���VW �#cJI3D#��w�%
'
L-`Z�5{+�M�{ w0q��\3j
8�.`�k軏M�?b���'%:��"tC*:2
Z
`��|jD�a�#�B",`V0!�)
=m6QJs�-"vV�;gKjc�~I�1�H��%�kSsGŕ5����lć{é�#��uMa�Fž,JV-= h8+C�b�RD��iV{0-̓S\w!Z��IJT,ۀ
V�0��3+F_H]-fM�f2/��c�>ϣ��#W5�oK�HBO"+�>�AJ:\+lm�砰̧LSG_pl1�\AXnc<>֍Ln�~Uc/|o�,,n1y��%Ŵ@QMP�*jII�z$peU1�=m2V�VhW`Ze&{�\
%܃{s��iPo)Q뱛r�+[Y.)Ӕ�7ϰ�:;�Rb���k(^h>c[��*\� 'd�н
srn^7��7b�7L`jX&IyyD#Sk�!�x��m��H!u,V��:N/Ns:֒TzB_ɾj8ϐa5(�a4�'5G(
V�`!旁wPR# (ʑ�=`?����`
ɈVwu�]N�αf_D�B@np�kz!NU��e,$+�e3ғ2%K'&'
�&9ghDu~in/b��~C<�B<�/Mp<"�
]lX{pң[Jq�V���~2)}Am9˝�~DҴ��(�ō7����"tSOkԛC2L:�*r֞SE[@-{r=1ða�Tw d e~�=m22uC%�<2KђL)dJH3�C8�z>SB&T
ۓ$-I^O eqj�i�e�ʒ��~I/i'1ۡ �Үۓ�]5/G8+
(OLkrwisy�]ҹsXd<�VpHCR��Cs<���AB|$Hy��0���*vZRZzl*$�?v�Ƈ!�hqb��wy�~@0G�W吜ZC=rj��_w�=z@:7�-g?Kȸ��Gu*b9l_빿Aݞ0nae1쭿?�nw{ft,z{j\.S}AZnL�x�V='F�49���1;6q=}ℜo;z6rO0�>oR8��i?{sҹ2CWq��:a)`)=$�XH�!Hn
e_-"2gNIJn/�ߍL�zd<
,f}�
x3D?,�ye919g�nR;-Ӈ�z2GP
>{~}q�.e~W�(�R��/o>-\.s25Q#�v%ދsq8́qV�#y�∶K`#j�>b_{k�&bi4W;�Tf{s̷L�kDxj� �Yj4&Kmx<^t79w�Ff#A�VާA3�ZQ-F}?��ϷIO�4ۺw�Yٕc�'`e3�9PUT}]?,s�a�j! �wCto<�m0K�I�:3�
Q>
Ot8/`/=[>8�2�-"Yf]U�'�6hZ+tkq#���NŽ$��:g;�4L�
�GP;
�#L7R�Ui
y ��*%:9s�O-Br;7v*QT+էa�,s6�9
�"�哟Vp,ᶿ,Ad [�y�#u7
0��G{ �si�LѸ)O8�3=�S�/Kvw2dg@£[< ӎ)Apü1lt�@8Nb=Xuㇱ�"
"� :�2l`��̽j�"Մ@���"[�Y8Nyii첎PE(#�y_?,mEѢ�Lnj�qXPf�~cdpB�ϯđd�U�K<0h"R2'U%.<튋�G9xvY{?oA$rKb(q�#m�ZPKqTDe�!!yV +fuHV�7c/'7M��N'����LE�_ebL%`�eݦ^03g�B,ֆ0\@+J4Z)1Zg�*Gt3�ۼI!~#g�j3dH���!q�)�>oԫJII$�pR@�TtoV#�TLj,U� �!ls��0J2�:� �W33�҉kRYp<~ރ(`�A��A�%�y(9aLB'"��hJ&|ա~>Wx�,)�&eЋ\is�ݱ+m��?-�x�ЙtzgJjQS45"�*AA%�*AD@}��X
�(4�Sk'I*m �KK'��AoX'ɑD'Ϋ&<Ƭ]QAR*~g�;q�ƥ�vƖ!���Գܹo/bI�j��cyĘ�$�H"_5<�;!bvFFc��-:}<���
&N)uJ�J!Ɂq�$C*kZA|���&F$�ݛ'1܃�Us#)cqxdGP-E]?PVra*5-��T7(mѲ�I#דBB|TUk�d
�� � a�$lŃL�^��"i<�#huDh��Jmg0�K=[a\.+%(Z&UA� "�n�+G=آЎ�VD+,rk,::+.t�ooooگo%�TO5,,,
ٜ?ޣDԝ�8�m�K0Rt�*ʏ��>���<�#���u�Ѧj_gq}F�%H4�]uK^:�t-~9�{Ȧ>�xE}�
(eQ7.%%<9WĦ#Ӕ0�WPY��Rpsk�,5'N�IXSٕ(�:gc_l�=pxjdfo9f�`4 #5t>HB��� �i8���$1�ݙta�;�^h�[�H�� a��T 揇M�ҨLJg^9mIiWp�fˢ3TjJi�SƉ�ۣs-ilRaK�1(L��*9�X�lS
jQmP:!�* 2'�*F
�^�?LzY$E'WJ�E:`ѿҏR+V)c<�n�r6#6h`�P��D���WГ��5��>|+h��Q g|j~q~i/m~9����ɗy�P\�'�i�>#Vl1E+lZ�gj�w �OQ4x>FkB
L/":��/̇vq{QP@#D<$(bk�ʁV=P�,[�MM�U+
RQiH��:�[�a
l?�Q�X2z{��n���$?87핡�6ǜMEfAOT9�>ĪUs\:$VG ]J1x~��[O֘0h)B Eٚ�A�5�=�\U
BI��?+��|Z3�Hh~ZSLx!Vi
�?�l��=umvX5Ğ�{�,s3Khi�Ԙp
3pB�K�$:ţO;�h.?FI�tke�lM/���')3"[7\h ��0>��6)��l�X-Ts�Z.Wf�z`Nu_�ZՔV-{�d�CX��X!��5r3�֘/��4TOdG=zԑ8mx�#/bZN{ЀVa�*zec�AL\b؈>PP*(Zz/0g�s%� �fl;�sXx[Mw5=�
zt3!" �,;ʋ�:�^Rc$�W6 c,�{:;K�iѩ��H
Wkm3R)59S\mD��ΝN|Y#/V�kў�3,9)[d��/0L~%U$x[jhwQf1q8
@�Lwt��c0Ift\xG,%_ۄ�z%|�#+X.>
1غbkW1�JzM Ļex�i)_y1DC_*�J�@(fiir'�o&G�졢�Y�o/>QHE*o�G�Z�1�ߕ���߉�6��Y?+Kt�MD90*
>%7A6po<|SP�ʕ�U+%=~hp����̊XH�t4*$:o��m;=P}LfRO��a��O�o�(ZU�X�]N"�@�[� '
o�����!\��3z%%n4Wp=9�ڛxCaJ��uA:@"\2��B��t>v.Wם~qjy�al\_db(�,g6OzY�yfzʜTN/6u\�XgrxixɎ>+b,.67Jug(;�0%lyї�5�1*o&,l��O=�Vi؊Km9��J8ٝE/�|jcC^�ZZ�-�!pXihЄ�!>E'}ҽl�Jk%ꋲs !_ kȿޜ�Jmfw!ߜ���'9�s����?n?�gVieC:�CL2#�Ͻ\^Fg9�gծq1?�0_�,ߋ�^�~.2s���E�}^�}^d'e/?A3?�-#�/2a~/3�2.a.3�f�! _�
*>UFk�{�{��3�@_�3�ʇ}�'ߧ�@MV>M�@7��d_ru��|ּ)��qF~)8ΠR�EV
SV>l.O3k!
g���z-6*�B��~/�>{'sg+�IW�KM0TtEų[T썊cn%m:�v��B__��k�:�5Q3Z�� %EC?�k
p�z�?a�c W��}}<�\5?Y3�쓭/>AݷD@�N$p� g;6^a�� /`xI(�Bcعkjz,jp�Opރ6p�٫���#u͇RiE�rT)玾ߓJ�0mFp@S�10J+5ɪ"+UW9 ط]�V++R�0�X����^*(d@#غ̏x�#�xC7d9+�_q9}��L&�ŠNC�a�Mvn[F0�u�|w�]�{2��Y&38L
"�7�.@c�ucC}� ,�H2�e` NW��}}�.Le-zyמ;ħ;8��,Tp`ٴd'P�c��Q0F?q��[<7T߱
9@�IGMgɱF?[">�3AR=bŇ."<�CϾ�ty5B2�Ɉϗ4w[|>4H��n+Q$qW�D1μ�
t�x`wƨst�lt7�0m&�Ĥ��GǤAֽ��D#�Z#7X�nƄ_�ð@o=N7"V�?";-i��5|v�[~K��~q]@-=0�Ƕt1�o6.ώ{;];!5�k�up{��)Հ`�ۇ��|�ݫ�Ϥ�%d|��b2Oty'�W�x;3ѫŷG0MDkfAl!�&r_ػ� Ǯ��lNz��Ԅ�=G }�+m}�s�o%ʎ�$J�X�g,/��z�Ô(>_>x�8"�2HH�2s�{D�|'ЂZ�{JfAZzAw��F/�?qJ �� Vi v˧6M\�5On\{.̿ۃ[4r�@>FыpO`w�BG=hO�t(�L�hqzF߭Uh#ɕ MXB|X
�Y�8[�{]'xaw]o�\�9&�f.Hvx!�"�v"Гx܋�Z^y�Crl%mxc�"=���͍G,[K�|�IK:uW¹":UXrHٍ���h,8/# �ti�;P?�Ba1\�XdG�x
ky�j�ŧSXW<߶ZP'J8Vw(l6�ږ?Y�瑮c/!k8~mA=fe�,+U�rcxdk�[f�:eP1eX� o'ᠢ'׀%V`��9"H�]S|8N]=PŃ�H�Ƹ[[�q~6`;Ш�1DLMv)E9b�\��Q�pS�ؕE'�l�d3k'gycD]Y>�Ѝ
a�O1!ngFb���
�fφŀ�n{H�6���Yf+3s묟ƫ�R6Ȥ{� �m�PC�dk=R+�Eq�
sX
ǼVwWRڱ!�;/D?8��A
c�, ��;fcJ
�,�oԛ'TS*a#�o�*�;AN7�Wm���S$��ˉ;[�S'�>�Z�$.V36ٳכ+[TchGޘ'�,E�1ԛa$(z��0��~��
��sx!�׆)�a+Eb2z(ͧ,1F_f�T{��
LW{څ$hxb
<���nBh1 ��b'�kI���'���R&la$r��R3 NjET z.�t3�^�\/4xv{ϼ�0SS2w�ħ$Yw���@��Ogr|A>&�:x~ea��@xT\*z7V?Pv/isTO3uG?�<;�o�5z_ayB;FLl4�7·y:�?C[7nyq�ݏ-),h#/-(j�LN`��Xfչ,�u+ߴ[FkWy�*F
{kfuU+k;idM>l+:cSEᘸe=)jal9n~;�>{jX~r[)CUk̹D/5V_JB\jh5
|
Application Development 
