Why is software security so hard?

Topic

New Reply

ON SECURITY By Susan Bradley I’ve had discussions with developers about how and why software bugs get introduced into software. Most of the time, it’s
[See the full post at: Why is software security so hard?]

Susan Bradley Patch Lady/Prudent patcher

10 users thanked author for this post.

Andy M, fisher75, abbodi86, windbg, Casey S, rc primak, DLivesInTexas, lmacri, DKThompson, dataman1701

Reply | Quote

Replies

Susan wrote “Most of the time, it’s because humans write the code, and then we humans use the code, often doing things that the software developer just didn’t think we’d do.”

Back in the dim past when DOS ruled the world a database application kept experiencing data corruption. After tons of aggravation we discovered that multiple users trying to concurrently use the same database encountered the famous “Abort, Retry, Ignore” message.

Naturally, being human, they chose Ignore and continued on.  When asked why they never mentioned these occurrences the response was that since the Ignore choice was offered it must be an acceptable response and not worthy of mention.  🙂

4 users thanked author for this post.

Myst, Cybertooth, rc primak, dataman1701

Reply | Quote

Software security isn’t hard, but it requires understanding and attention to detail.

If your OS vendor, driver vendors, government mandated backdoors, application vendors — any of them — drop the ball, you’re sunk.

I can’t tell you how many times management is pushing to cut corners on security just so they can meet some arbitrary scrum deadline. I never skimp on security and am often chewed out by upper level execs for identifying new weaknesses, fixing them and missing pie-in-the-sky deadlines.

Sure missing out on bonuses and getting bad review feedback for doing the right thing sucks, but if I know there is a problem I won’t be signing off on the design or implementation.

The fact is, many simply don’t care about security until it becomes a visible problem to customers — and even then they only want to fix the bare minimum for the presently visible problem.

6 users thanked author for this post.

opti1, deckie49, windbg, Myst, Tem, Cybertooth

Reply | Quote

I had the 16KB  TRS-80!!

Is it still safe to use a password manager and have fully unique passwords for all of my various sites/accounts?  I honestly do not understand the passphrase thing, at least as long as you use long and unique passwords for everything.  Thanks.

Reply | Quote

John,

IMHO, yes it is still safe to use long unique passwords. I’d add two factor authentication where available!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

2 users thanked author for this post.

Fred, John18

Reply | Quote

Yeah, I do that too.

Thanks.

1 user thanked author for this post.

Fred

Reply | Quote

The CISA Phishing-resistant MFA  link was fascinating and relevant reading. The table in that paper really puts various security measures into perspective.

-- rc primak

2 users thanked author for this post.

windbg, Cybertooth

Reply | Quote

As an old Ada programmer, I’m happy to see it made the list of memory-safe coding tools.

There are several big problems with languages like “C”, but here are three:
1.  “C” is terse, and can be inscrutable, to the point that one periodical used to run “C” brain teasers: I.e., What does this “C” expression actually do?
2.  The language is not hard typed; programs are typically compiled without running any compile-time checks — to say nothing of the language having any built-in run-time checks.  The programmer assigned a 64-bit floating point variable to an 8-bit integer variable?  Or writes past the end of an array?  S/he meant that.
3. Uninitialized variables can be used in expressions.  Particularly bad if the uninitialized variable is a pointer.

One coworker I knew told me he once worked on a NASA-funded project to program two industrial robots, one in “C”, the other in Ada.  He said that they would routinely enter the operating envelope of the Ada robot while it was powered.  The “C” robot?  Never.

Reply | Quote

I’ve forgotten where I read this but my inexact remembrance is “With C its easy to shoot yourself in the foot.  C++ makes it easy to blow your leg off.”

1 user thanked author for this post.

Cybertooth

Reply | Quote