Excellent computer security is possible. A huge step towards achieving starts with a broad understanding of computer security research. Given the right information and awareness, people who write software have the potential (though not the guarantee) to produce software that is more respectful of privacy and security. A tremendous amount of information exists on computer security concepts and practices. The application of these concepts and practices can range from simple standards and techniques to extensive use of tools, procedures, auditing, and expert administrative management of systems. The simple standards are the most appealing as they may be more compatible with a functionality based view of software. As systems grow and requirements evolve, more rigorous methods may become necessary.
The straightforward exercise of software development means to limit excess. Excessive code libraries, excessive code patterns, excessive dependencies, and excessive functions and features are all symptoms of unwieldy software. Such software may be slow, more prone to errors, difficult to change, and cost more to maintain. Straightforward code is streamlined, small, well conceived (intuitively or explicitly) and projects features in a clean and user acceptable way. Most attempts at software and the improvement of skills to build software strive towards the practical way.
Several books have emphasized good practical code over the years. They include titles like Code Complete. I read both editions and I think it does a good job of balancing rigorous software practices with insights to define software that is programmer rather than process oriented. That appeals to many who would see more of their vision represented in software with minimal defect or negative side effect.
Another good title is The Pragmatic Programmer. It was one of the most straightforward books I read on the idea of simplifying programming in a way to matches one’s sense of what is appropriate in creating software. A book by the name of Software Craftsmanship goes far to explore software as an intuitive process that can greatly benefit from the innate skills and evolution of the software practitioner. This idea of software craftsmanship is further detailed on Wikipedia as to what it comprises and the contention that software craftsmanship will always exist.
Process Based Coding
Coding by structured process is the domain of software engineering in which the theories of computer science find practical application through structured methods. The strength of software engineering is scale, depth, and the harnessing of empirical principles. As far as security is concerned, software engineering can be far more beneficial than craft oriented software construction but there is a cost. The cost can arise in terms of adaptability of software to requirements, diminished time to market, and opportunity costs when risks in new advances result in the removal of advances from consideration. Some who look at the prospect of more secure software may ask where is the balance?
The Perimeter Defines Inner Security Requirements
The balance could be a function of the extent to which operating systems, software execution environments, and general data transmission structures are reliably secure and private. When the perimeter is strong, the interior may see greater latitude in how functions and processes are expressed and devised. That brings up the question of how confident can anyone be regarding the certainty of these outer mechanisms? Perceptions surrounding these mechanisms are benefited from a greater understanding of some of the main issues in systems security shortfalls. Much of this originates from the software itself, certainly some of this is a function of how hardware is defined, how hardware and software interact and how systems are configured, the interplay between data and systems.
Understanding the System Begins with Understanding the Unit
An author by the name of Robert Seacord has done an excellent job in going through some of the core issues. I was pleased to see a good discussion of many (though not all) of these issues together in one place. The book, Secure Coding in C and C++ is a book that is accessible to anyone regardless of whether they know C or C++. I believe someone who knows PHP, Java, or Visual Basic could read the book as it is less about the code (the code examples are less than you think) and more about the background overview of different security issues common in certain kinds of software. Learning about them helps you think more conscientiously about the impact of a given software coding decision so that you participate more actively in the production of more reliable code. That is probably the best outcome of a book like this is that you look beyond writing software that does not crash to thinking about systems in terms of how well they address a much broader range of edge cases from the standpoint of functionality centric design that can potentially deliver more reliable systems.
Other Related Articles