On Fri, Apr 11, 2014 at 9:13 PM, Carlos E. R. <carlos.e.r@opensuse.org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2014-04-12 01:02, Ted Byers wrote:
On Fri, Apr 11, 2014 at 6:31 PM, Carlos E. R. <> wrote:
...
had reviewed, and then write several programs to attack it, so they can see, experimentally, hands on, the nature of the vulnerability they almost created, how to exploit it, and how to write the code in the most secure manner possible.
Alas, I doubt there are very many software houses that would support such continuing education of their software development staff. :-(
I would probably fail that testing myself. :-}
Ah, you misunderstand. This testing isn't so much an evaluation of what the kids know, but rather they'd be testing their own experimental programs, with a view to encouraging them to learn as much as possible about secure programming; as always working closely with intermediate and senior programmers. While early on, security wasn't an issue for the applications I developed, it has been a primary focus for quite a few years now, especially because of the sensitivity of the data and the distributed nature of the programs. At the transport layer, we relied on openssl, and mostly assumed it did what it was supposed to do, and we focussed our security related tasks to the application layer. It actually isn't so hard, especially with the ability to use perl's taint mode, and to use regular expressions to verify that the data is valid (of course, we do that validation both on the client and server, so typos are caught early and the experience is quite user friendly).
There was no multitasking when I trained, and it was never a consideration when I was paid for programing. I never had to care about intruders or any kind of attacks. Security, for me, was ensuring that motors would stop when requested, and such... Buffers having the correct size, properly initialized, inside bounds, etc, of course. Accidents, not hackers, were my consideration.
When I was working on applications that resided only on the usr's workstation, the same was much the same for me, though at that time, I primarily used C++.
So no, I probably could not code current day security stuff. :-}
But you could learn it quickly, as it is not all that hard, unless you're actually contributing source code to the openssl project. ;-) Cheers Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org