Auteur: Miles Fidelman Datum: Aan: dng Onderwerp: Re: [DNG] Nasty Linux systemd security bug revealed
>>> Andreas Messer said on Mon, 26 Jul 2021 09:38:23 +0200 >>>
>>>
>>>> My feeling is, that you can not simply teach someone how to write
>>>> safe software.
>>> Why not? You can teach a person to do anything else. But maybe not in
>>> college, because college is built to make money, not to teach.
>>> Consider the average textbook and compare to the average "For
>>> Dummies" book. The former makes the subject matter look incredibly
>>> complex, justifying the professor. The latter makes it easy to learn.
>>>
>>> What is needed is a curated document explaining the five or ten or
>>> twenty things you need to do to be secure, and then how to achieve
>>> them in a practical world. Let's start with input field cleansing and
>>> protection from errant pointers and buffer overflow. There are many
>>> more: Because there will always be new failure modes & vulnerabilities - it
comes with any complex engineering activity.
You can teach people to avoid KNOWN failure modes & vulnerabilities, and
establish processes and methods to avoid them (e.g., tooling, testing,
design reviews, etc.) - but there will always be new ones - that can
only be detected in the breach. Good engineers can, perhaps, see and
avoid some. Penetration testing can help find others before fielding.
But ultimately, there will always be unsafe code in the field - that
will only be detected in the breach.
As von Moltke put it, "no plan survives contact with the enemy." It
probably has something to do with computability (P/NP and all that.)
We could learn from the way the aerospace industry responds to plane
crashes, though. And, maybe, trash "agile" and go back to design
processes that got us to the Moon (you know, serious, step-by-step,
design, document, review, test).
Miles Fidelman
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
Theory is when you know everything but nothing works.
Practice is when everything works but no one knows why.
In our lab, theory and practice are combined:
nothing works and no one knows why. ... unknown