tags:

views:

135

answers:

3
Q: 

Why are secure programs so difficult to develop (for me)?

Community Wiki Question

Every time I work on a project involving passwords or securing data I get mired down into obscenely complex APIs and issues. I have not had much formal training in developing secure applications but I have not had much formal training in database, GUI, and build processes either. Many other areas of programming feel more intuitive.

Is security just a far more complex area than many others? I tend to think that it is not. Are security infterfaces and systems less mature than others? I would tend to think that there is a great deal of pressure for those systems to mature. On UNIX the 'trusted environment' was the norm until somewhere in the 90s. Is UNIX just suffering from its roots in this area?

Technology changes fast. Since I have been in school the computing world has become far more distributed and critical. Has security been dragged along for the ride as an afterthough? Are any new technologies promising? Are you suffering the same way I am?

+8  A: 

Good security is hard, very very hard.

Tim Jarvis  2009-04-26 22:44:42
This is very true. The more I learn about the ways code can break, the amazed I am that it works as well as it does as much as it does. Even old-school, basic security flaws (int overflow->code execution, e.g.) can make my head spin.
Greg D  2009-04-26 23:01:05
A: 

I think that security is so hard because people feel inclined to do what they shouldn't, and try their best to overcome any barriers they find.

Only if this will power was used for something good...

Renato Besen  2009-04-26 22:56:32
+2  A: 

Apart of the considerations from the other answer, it is also because security is a balance between effective protection and effective ease of use. A system that is too complex to use due to its stringent security will likely to fail the user, which will drop it. Your role as a designer/developer is also to find the proper compromise between these two opposing forces, something which tend to introduce even more trouble.

Stefano Borini  2009-04-26 23:02:16

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security