There are some general tips for secure programming. Check pointers. Validate input from users. Use parameter binding when performing SQL. Those are pretty obvious. Every day, more and more alerts go out about security vulnerabilities. In almost none of the alerts does the actual security hole get discussed. You sometimes see example exploiting code, but you almost never see example exploited code. How are software engineers supposed to learn from the mistakes of others? It seems like we have to repeat the mistakes of others for us to learn those lessons. I understand proprietary software vendors don't want to release the source code for their software and they fear that doing that would allow more people to hack their software, but how as an industry can we grow if the details are hidden from us?
Time and time again I hear about another company or another product being vulnerable to a major security flaw. Many of those flaws sound like they are preventable. The art of programming securely doesn't seem to exist. Blindly following guidelines doesn't always work. It often makes the problem worse. Developers need to be educated about writing secure code. I find it amazing that an industry that is so important isn't allowed to learn from its own mistakes. Everything is kept secret. Our industry will always be doomed to repeat itself as long as new developers are added to the workforce.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.