Building Secure Software

By Deane Barker on November 15, 2002

Here is a fantastic article by Michael Bacarella about how to build secure software. In it, Bacarella expresses his anger at the crappy software some people write and presents a laundry list at how to write better systems. To wit:

“The user is pure evil. All data entered into an application must be scrutinized vigorously. Most dingbats, if they even think to filter anything at all, think of one or two characters that could be used to do harm and filter those out. This is a mistake. You won’t think of all of the possible ways. Filter out everything but good data instead.”

He doesn’t go easy on Microsoft either:

“If something like Windows plays any part at all in your system design, you should probably give up now. Despite being closed source, holes are discovered constantly. The Windows system is also far too massive, complex, and user unfriendly for human beings to have any hope in securing it … It should be no surprise then that using it in a secure environment is positively ludicrous. A non-Windows system is not a guarantee of invulnerability, but keeping a Windows system is guaranteed to put you at risk.”

All in all, this is a great article. Very much worth reading.