Comments on: Thoughts on awareness of security vulnerabilities & full disclosure http://damieng.com/blog/2007/12/20/thoughts-on-awareness-of-security-vulnerabilities-full-disclosure?utm_source=rss&utm_medium=rss&utm_campaign=thoughts-on-awareness-of-security-vulnerabilities-full-disclosure A .NET developer in silicon valley Sun, 25 Dec 2011 15:10:30 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: steve http://damieng.com/blog/2007/12/20/thoughts-on-awareness-of-security-vulnerabilities-full-disclosure#comment-5673 steve Thu, 20 Dec 2007 11:29:59 +0000 http://damieng.com/blog/2007/12/20/thoughts-on-awareness-of-security-vulnerabilities-full-disclosure#comment-5673 To be honest I find it quite incredible that this is still an item for debate - it's been a known issue for so long after all. But there are so many 'green' developers out there making apps, and so many of them gravitate towards 'quick & dirty' techs like PHP and ASP without knowing what the hell they're doing, I guess it's no surprise. Security issues like this should be covered as standard in university courses really, it's so fundamental to modern development; even just having an awareness of it rather than a deep knowledge would help I'm sure. It all adds fuel to the argument that the more experienced library / platform developers, particularly those aimed at entry-level people (which .Net is always pitching at, IMO, with all its wizards and create-me-an-app-now helpers) should assume that a significant number of developers using their tech will be totally clueless, and thus default to protecting them from themselves. Smart developers will always figure out how to do what they need to so any extra default behaviour won't bother them if they need to avoid it, but dumb developers will happily use whatever crappy code snippets and insecure libraries are available with impunity and create a whole new generation of problems. To be honest I find it quite incredible that this is still an item for debate – it’s been a known issue for so long after all. But there are so many ‘green’ developers out there making apps, and so many of them gravitate towards ‘quick & dirty’ techs like PHP and ASP without knowing what the hell they’re doing, I guess it’s no surprise. Security issues like this should be covered as standard in university courses really, it’s so fundamental to modern development; even just having an awareness of it rather than a deep knowledge would help I’m sure.

It all adds fuel to the argument that the more experienced library / platform developers, particularly those aimed at entry-level people (which .Net is always pitching at, IMO, with all its wizards and create-me-an-app-now helpers) should assume that a significant number of developers using their tech will be totally clueless, and thus default to protecting them from themselves. Smart developers will always figure out how to do what they need to so any extra default behaviour won’t bother them if they need to avoid it, but dumb developers will happily use whatever crappy code snippets and insecure libraries are available with impunity and create a whole new generation of problems.

]]>