ВУЗ:
Составители:
Рубрика:
67
networked world. And the third factor is something where we've only seen the tip of
the iceberg. It's called extensibility. The idea behind an extensible system is that code
will arrive from God knows where and change the environment.
Such as?
A perfect example of this is the Java Virtual Machine in a Web browser, or the
.Net virtual machine, or the J2ME micro VM built into phones and PDAs. These are
all systems that are meant to be extensible. With Java and .Net, you have a base
system, and lots of functionality gets squirted down the wire just in time to assemble
its elf. This is mobile c ode.
The idea is that I can't anticipate every kind of program that might want to run
on my phone, so I create an extensible system and allow code to arrive as it is needed.
Not all of the code is baked in. There are a lot of economic reasons why this is a good
thing and a lot of scary things that can happen as a result. I wrote lots about this in
1996 in the Java security book. So, if you look at those three problems together–
complexity, connectedness and extensibility–they are the major factors making it
much harder to create software that behaves.
What are some of the specific problems facing programmers trying to write
secure code?
There are many subtleties in writing good programs There's too much to know,
and there aren't many good methods in how to develop software securely. The tools
that developers have are bad. Programming is hard. And popular languages like С
and C++ are really awful from a security standpoint. Basically, it's not an exact
science. So all of these factors work together to cause the problem.
Who else shares responsibility for this problem?
If you think about who practices security today, you'll find that it's usually a
network architect, someone who understands the network, an IT person. Now, who
develops software. Software architects and developers. Those guys don't talk to the
security or network guys. They're often not even in the same organization. The
software guys are associated with a line of business, and the IT stall is part of
corporate infrastructure.
Historically, isn't part of the problem the fact that a lot of software was
de ve lope d before compute rs were network e d?
Sure, but computers have been networked for a long time now. You can't exactly
say that the Internet is new. Yet we're still producing code as if it were living in a
non-networked environment, which is why the connectivity thing is part of this trinity
of trouble. Most developers do not learn about security And so we see this same
problem come up over and over again, like butler overflows, for example.
Страницы
- « первая
- ‹ предыдущая
- …
- 66
- 67
- 68
- 69
- 70
- …
- следующая ›
- последняя »
