June 13, 2008

We can't write secure code - so let's (not) give up and keep tryin'

We can't write secure code - so let's give up keep tryin'


Last week, Mike Rothman (here http://securityincite.com/TDI-2008-06-05#TBP1) was commenting on Stuart Kings's blog claims (see http://www.computerweekly.com/blogs/stuart_king/2008/05/david-lacey-makes-the-importan.html):

Systems are simply too complicated with too many lines of code for anyone to expect that they can be released without containing bugs and security holes. That doesn't mean that we shouldn't try, it just means that we should take a different approach. That approach, in my opinion, is to take a leaf out of the new edition of the PCI standards and stick a ruddy great application firewall in front of everything. That doesn't make the code secure, it's a sticking plaster over a wound. But - to continue the analogy - a plaster stops the bleeding, prevents germs getting in, and while it's not a cure, it's good enough.

 Mike's answer:

Then Stuart basically falls back into the tried and true security mentality of throwing a box (a web app firewall) at the problem. That's a cop-out. First of all, a WAF is not a panacea for application security. And just because users want more and faster, doesn't mean they should get it. Everything gets back to a business decision. If the business decides it's worth the risk to roll an application that has holes, so be it. Just make sure they understand that when the dudes in the radioactive suits come in to clean up the mess. By the way, I'm all for WAF as a supplement to application security efforts, WHERE APPROPRIATE. But to give up the ghost on trying to write secure code because it's hard isn't the answer either.

First, I'd like to make it clear that in my opinion, WAF is the right first line of defense. In some cases, it will serve as the only line of defense. The questions should not be whether secure code is possible or when to fix versus using WAF. The question is how to provide continuous security while application problems are being fixed. There's always one more bug and the WAF will be there for you. Rain or shine it's there for you. And now comes the "but"...We should strive to write secure code and we need to fix the problems we had discovered and then fix the problems that the previous fixes created.   

Tags:

By
Sharon Besser
| June 13, 2008 2:24 PM | | Comments (0) | TrackBacks (0)
  • Digg it!
  • Add to Del.Icio.Us
  • Add to Technorati
  • Stumble It!
  • NewsVine
  • Slashdot
  • Google Bookmarks
  • YahooMyWeb
  • Live
  • Add this post to Reddit

0 TrackBacks

Listed below are links to blogs that reference this entry: We can't write secure code - so let's (not) give up and keep tryin'.

TrackBack URL for this entry: http://blog.imperva.com/mt/mt-tb.cgi/32

Leave a comment