The Need for Secure Systems | Writing Secure Code, Second Edition

Part I

Contemporary Security

Chapter 1

The Need for Secure Systems

As the Internet grows in importance, applications are becoming highly interconnected. In the good old days, computers were usually islands of functionality, with little, if any, interconnectivity. In those days, it didn t matter if your application was insecure the worst you could do was attack yourself and so long as an application performed its task successfully, most people didn t care about security. This paradigm is evident in many of the classic best practices books published in the early 1990s. For example, the excellent Code Complete (Microsoft Press, 1993), by Steve McConnell, makes little or no reference to security in its 850 pages. Don t get me wrong: this is an exceptional book and one that should be on every developer s bookshelf. Just don t refer to it for security inspiration.

Times have changed. In the Internet era, virtually all computers servers, desktop personal computers, and, more recently, cell phones, pocket-size devices, and other form factor devices such as the AutoPC and embedded systems are interconnected. Although this creates incredible opportunities for software developers and businesses, it also means that these interconnected computers can be attacked. For example, applications not designed to run in highly connected (and thus potentially harsh) environments often render computer systems susceptible to attack because the application developers simply didn t plan for the applications to be networked and accessible by malicious assailants. Ever wonder why the World Wide Web is often referred to as the Wild Wild Web? In this chapter, you ll find out. The Internet is a hostile environment, so you must design all code to withstand attack.

I m Not Crying Wolf

On Friday the 13th, July 2001, www.sans.org, the Web site operated by the SANS (System Administration, Networking, and Security) Institute was defaced. The following week, SANS sent an e-mail to all subscribers of their SANS NewsBytes with the following commentary:

This has been a startling reminder of just how devastating an Internet attack can be. Every single program and setting has to be reviewed and, in many cases, redesigned so that they can safely operate, not just in today s attacks, but also in the face of the threat level we will experience two years down the road. Some services may not be available for days.

The Internet is indeed a hostile environment. You can read more about the defacement at www.msnbc.com/news/600122.asp.


	Never assume that your application will be run in only a few given environments. Chances are good it will be used in some other, as yet undefined, setting. Assume instead that your code will run in the most hostile of environments, and design, write, and test your code accordingly.

It s also important to remember that secure systems are quality systems. Code designed and built with security as a prime feature is more robust than code written with security as an afterthought. Secure products are also more immune to media criticism, more attractive to users, and less expensive to fix and support. Because you cannot have quality without security, you must use tact or, in rare cases, subversion to get everyone on your team to be thinking about security. I ll discuss all these issues in this chapter, and I ll also give you some methods for helping to ensure that security is among the top priorities in your organization.

If you care about quality code, read on.