|
Not his real name, I call him when I finish a project and he meets me behind the local WalMart and gives me the code.
|
|
|
|
|
You missed an option, we have a dedicated team of small minded, pedantic, nit picking, hair splitting, weasel minded bastards dedicated to driving the developers nuts. Yup the Audit Team bless their souls they really do an excellent job.
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
This is a necessary skill in a developer. Otherwise, who's use your system? We never know at all.
A developer that doesn't sanitize his code isn't a developer. Only a coder.
Ygor Lazaro
|
|
|
|
|
Not necessarily a necessary skill - only for certain domains.
Like Gary below - our applications don't have security implications. We don't transmit passwords, don't have SQL (therefore a SQL injection attack won't work).
Now safety is a completely different issue - we have mandatory safety reviews as part of a wider safety process for all our applications, some of which interface with hardware with moving parts.
Graham
Librarians rule, Ook!
|
|
|
|
|
Our products, in and of themselves, don't have security implications, other than fitting in with a customer's IT policy. That can be a severe PITA.
Our hardware uses dedicated network cards to communicate. It's amazing how many IT drones insist on placing firewalls on a network with exactly two endpoints. Since they never ask which ports to open in the firewall, they insist our hardware is broken.
Software Zen: delete this;
|
|
|
|
|
We couldn't employ anyone to do this for us, it wouldn't be good for their health. On the upside our code base is so bad and wrong that it is hard to spot the problems, working like an abstracted form of peril sensitive sunglasses[^]. Win win!
|
|
|
|
|
Keith Barrow wrote: peril
sensitive sunglasses[^].
Our sales and marketing people wear rose-tinted versions of those.
Software Zen: delete this;
|
|
|
|
|
As all sw that my group work is embedded in a fighter plane, there are no care about this kind of security.
What really matter to us is confidentiality of the information stored in the sw, and that we obtain by not distributing this information and limiting the access to it, and for that we have a separate group.
|
|
|
|
|
>embedded in a fighter plane, there are no care about this kind of security
That's a joke, right?
I do green-painted stuff, and it's security every day. I wanted to check several boxes; I check it myself, we check each other, there is a QS man assigned to us, and we have an outside consultant. We use several kinds of code checker too; DevPartner, Lint, Together. We have a league table of who has the best Coverage (it's me at 96%, and the 4% are all exceptions). For safety critical code we reckon one half of your time is spent testing etc.
(There is also a jerk in project management who tries to check it, but he can't understand it. He logged this as an error; "because he couldn't understand it", but even his boss laughed at him. He said I should document my algorithms better, so I asked sweetly if he hadn't had Pythagoras in school, and if not I would write it down for him. He claims to be The Safety Expert.)
------------------<;,><-------------------
|
|
|
|
|
> He logged this as an error; "because he couldn't understand it"
Nice... it's sort of synonymous to saying "I'm not suited for this job, please fire me"
|
|
|
|
|
I have 4% coverage, np, the other 96% are exceptions.
|
|
|
|
|
I can't help it, I have to cover 95% anyway.
I did it in the end by commenting out everything I couldn't test - like redundant overloaded functions in the parent class, or old stuff not used any more. It needed doing anyway, but I didn't realise how much there was till I ran the coverage checker.
------------------<;,><-------------------
|
|
|
|
|
-embedded in a fighter plane, there are no care about this kind of security
That's a joke, right?
I do green-painted stuff, and it's security every day. I wanted to check several boxes; I check it myself, we check each other, there is a QS man assigned to us, and we have an outside consultant. We use several kinds of code checker too; DevPartner, Lint, Together. We have a league table of who has the best Coverage (it's me at 96%, and the 4% are all exceptions). For safety critical code we reckon one half of your time is spent testing etc.
(There is also a jerk in project management who tries to check it, but he can't understand it. He logged this as an error; "because he couldn't understand it", but even his boss laughed at him. He said I should document my algorithms better, so I asked sweetly if he hadn't had Pythagoras in school, and if not I would write it down for him. He claims to be The Safety Expert.)
------------------<;,><-------------------
|
|
|
|
|
mirdones wrote: As all sw that my group work is embedded in a fighter plane, there are no care about this kind of security.
LOL LOL LOL
|
|
|
|
|
I've never hacked a fighter plane before. I thought it was going to be hard. But you have given me hope.
|
|
|
|
|
For instance, we do peer reviews at check-in time and then there is a dedicated security person who reviews the code before the application is shipped.
|
|
|
|
|
Same here, and depending on the customer they may audit it as well after delivery.
3x12=36
2x12=24
1x12=12
0x12=18
|
|
|
|
|
We had a project where the client hired a 3rd party to do security and penetration testing and shared the result with us.
We just had to fill up those gaps.
Noman Muhammad Aftab,
Software Mechanic
|
|
|
|
|
We have Developers and System Administrators so security resposabilities spread among both teams.
The fact is that we don't bother much about it anymore. The application architecture is stable and well defined to avoid security holes.
All tipical security issues were handled on early stages and its kind of natural now to develop new things based on the same secure architecture.
I'm not saying its perfect, but we've reached our desired level of security and to ensure it we just have to follow our patterns.
|
|
|
|
|
I have successfully prototyped my Matter Transmitter.
Laboratory tests were successful, now trying a real world application...
[Whump Whump Whump Whooooooshhhh!!!! Thunk]
And as you see, I have a large supply of Bacon, transported from the inside of a locked fridge...
------------------------------------
I will never again mention that I was the poster of the One Millionth Lounge Post, nor that it was complete drivel. Dalek Dave
CCC Link[ ^]
Trolls[ ^]
|
|
|
|
|
#waves hand#
This is not the bacon you are looking for, move along.
Panic, Chaos, Destruction.
My work here is done.
or "Drink. Get drunk. Fall over." - P O'H
OK, I will win to day or my name isn't Ethel Crudacre! - DD Ethel Crudacre
Have a bit more patience with newbies. Of course some of them act dumb -- they're often *students*, for heaven's sake. -- (Terry Pratchett, alt.fan.pratchett)
|
|
|
|
|
Sorry! I already ate it...
Real men don't use instructions. They are only the manufacturers opinion on how to put the thing together.
Manfred R. Bihy: "Looks as if OP is learning resistant."
|
|
|
|
|
Kitchen locked.
Front door bolted.
My BACON is secure.
Panic, Chaos, Destruction.
My work here is done.
or "Drink. Get drunk. Fall over." - P O'H
OK, I will win to day or my name isn't Ethel Crudacre! - DD Ethel Crudacre
Have a bit more patience with newbies. Of course some of them act dumb -- they're often *students*, for heaven's sake. -- (Terry Pratchett, alt.fan.pratchett)
|
|
|
|
|
Bacon is not an a application: it is a Resource.
A very valuable resource indeed.
But we have to be able to say:
using (Bacon mine = GetAllBacon())
{
Butty myButty = new Butty(new BreadSlice(2), new Butter(some), new BrownSauce(optional), CookBacon(mine));
Eat(myButty);
} And you just can't do that with an application...
[edit]Missed out the word "not" [/edit]
Real men don't use instructions. They are only the manufacturers opinion on how to put the thing together.
Manfred R. Bihy: "Looks as if OP is learning resistant."
|
|
|
|
|
Indented curly brackets are
Just my 2p-worth!
|
|
|
|