The InfoSec Blog

Why applications have security bugs

Posted by antonaylward

http://blogs.msdn.com/aaron_margosis/archive/2008/03/03/why-apps-have-security-bugs-attempted-humor.aspx

It was this comment to the posting that caught my attention:

Some of us idiots used to think that any devs who weren't aware of buffer overflow before the Morris worm would be aware of it after the Morris worm. But in fact, your posting almost points out why many devs remain blissfully unaware:

"we developers were trained to focus on and typically only ever focused
on how legitimate users will use the product"

Close. Developers who want to have good jobs have to get trained to focus on how their managers pretend the product will be used. Anyone who thinks as far out as actual end users will get canned for not being
a team member. Anyone who thinks even further out about actual end misusers will be sued for being a hacker. But yeah, you explained it.
Thank you.

Long time readers will know that the Morris worm is my poster-boy for complaining that modern schools don't teach defensive programming.

It seems I'm not alone.

Reblog this post [with Zemanta]