Make your own free website on
« April 2008 »
1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30
You are not logged in. Log in
Entries by Topic
All topics  «
Computer Security
Blog Tools
Edit your Blog
Build a Blog
RSS Feed
View Profile
Security Thoughts on MyBlog
Sunday, 20 April 2008
Security features != Secure feature
Mood:  a-ok
Topic: Computer Security

Very recently, I was reading a book on security code review with static analysis. In the first chapter, the book introduced the problems with code writing and how did vulnerabilities born in this stage of SDLC. I recommmend the book highly (Secure Prpogramming with Static Analysis by Chess & West).

"I work in security," whenever I say this, they say "Oh.. like cryptography...." No, its not that. I work on how people hack into your computer or how, in the first place, they exploit bugs. How to detect such attempts, how does a virus spread..etc. So, the question is What is the difference between these two types of security? Well... the first one is the Intended security feature. you want to have this feature such that it provides encryption, authentication access control etc. All these are present during software requirement time. But, vulnerabilities are not present in the requirement and, therefore, are "unintended features." Most of the time, these unintended features are not the part of security feature, but the add to major security holes in the software. Most of the time, virus/worm/trojan and hacking attempts are based on such holes. There are not many reports of security breach due to the failure of security feature (cryptography) as such. Actually, I always question on why are we bothered about cryptanalysis so much for our not-so-important softwares. how many reports do we have on attacks where breakin was due to weak crypto? i doubt not more than a few tens ot hundreds. But if u search hacking/virus etc...tens of thousands. so its a high time for us (as a programmer) to give a serious thought about having a hecker's mind while coding. At least we can be careful not to use function that lead to some known vulnerabilites. I feel there shoud be a dedicated team in every big company to monitor latest trents/techniques and train programmers to avoid them.

Posted by sanjay-rawat at 6:00 PM

View Latest Entries