To write secure code, you do have to think like an attacker - flaskdata

To write secure code, you do have to think like an attacker

admin

October 6, 2008

A security checklist for a developer might make it look like writing secure code is kids stuff, but even kids think like attackers sometimes.
Microsoft are doing some interesting work on SDL – Secure Development Lifecycle. I’m just not sure I agree with dumbing it all down to a checklist and letting developers work without attacker hard hats.
Today, we got an email out of the blue from a security consulting firm asking for a phone call to discuss “deep technical information for a client who is buying a threat modeling tool”. A little poking around clarified the motivation. First – the proximity to the Microsoft pre-announcement of their SDL 3.0 (Microsoft to Share Its Secure Development Blueprint, Threat Modeling Tool) on September 19, 2008 (the tool will be released some time in November). Then a visit to the GRC (governance risk and compliance) firm’s Web site showed some pre-announcements of their own for a IT risk assessment tool that seemed to have a good deal of similarity in it’s marketing messaging to PTA – Practical Threat Analysis – our free risk assessment tool.
I think they say imitation is a form of flattery but when a competitor (a big one like Microsoft or a smaller one like this GRC consultancy) copies ideas without sharing and attributing (as in Creative Commons sharing and attribution) it is annoying.
Still – it isn’t enough to copy ideas – you do actually have to have some original ideas of your own, as Microsoft definitely do.
Adam Shostack – who is Program Manager at Microsoft for SDL was quoted in Dark Reading that
“This [tool] allows us to start from the point of view of the software engineer… and to pull them through the process that doesn’t require them to think like an attacker or delve into anything they don’t know.”
I don’t think so.
If you want to develop secure code – start thinking like an attacker. If anything, use tremendous resources of the Microsoft Developer community to HELP them delve into stuff they don’t know. The more you learn about how your code can be used (or mis-used) – the better code you will write.
I just don’t think there is any other way to do it.

More Articles

Risk assessment

CLINICAL TRIAL READINESS ASSESSMENT

December 2, 2022 No Comments

Are you really ready to run a clinical trial? How can you best assess your clinical trial readiness? We work with C-level executives and management

clinical data from patients

Assuring protocol compliance without checklists

November 29, 2022 No Comments

At a site monitoring visit, the CRA works on assuring protocol compliance. Assuring protocol compliance is one of the 3 pillars of GCP: The 3

Decentralized clinical trials

Home alone and in a clinical trial

November 27, 2022 No Comments

1 in 7 American adults live alone COVID and social isolation is part of our lives. During COVID, it became easier to recruit patients for

drug counterfeiting

Preventing drug counterfeiting

October 24, 2022 No Comments

Counterfeiting is old as money itself. Drug counterfeiting is no exception. In this post, we’ll share an analytical approach that you can use to estimate

clinical trial risks

What risks really count for your clinical trials?

October 23, 2022 No Comments

Is there a “black-box” risk management solution for your clinical trial? What clinical trial risks are the most important for you and your company? Risk

growth stage

Dealing with information junkies in decentralized clinical trials

October 18, 2022 No Comments

DecentraIized clinical trials software vendor Medable is doing an outstanding job in understanding and executing an online work-flow between sites and patients at home.. This understanding and

Clinical data made radically simple and affordable.

Contact

Resources

Flask Open API for clinical data

Copyright © 2022 Flask Data Ltd. All Rights Reserved.

Privacy Policy | Terms of Use