[kwlug-disc] Security arguments
kb at 2bits.com
Wed Sep 23 14:51:21 EDT 2009
> 0. Everybody starts out as a newbie.
> 1. Newbies make mistakes and (by definition) don't understand every
> nuance of their programming/sysadminning environments.
> 2. Therefore, mistakes will be made.
> This has some implications:
> 0. If you expect your programmers and sysadmins to go through hoops to
> make their code secure, then there will either be a lot of insecure
> code or there won't be any newbies (so your language will die).
I have noticed something similar a while ago: "pure" programmers don't
bother/care much for the infrastructure. They don't care if their code is
fast, or is scalable, or is secure. Some of that is because they are so
focused on functionality, some of that is due to the lack of knowledge in
these areas, and some is due to deadline pressures. Many lack a holistic
view of "the system" as a hole.
I have seen this everywhere, whether it is COBOL on mainframes, or Open
web projects. I have a friend who noticed the same thing too, in a
We have differentiated skills now, the skill for development is one thing,
for system admin is another, scalability is another, and security is
I look back into history and see something similar: remember the days of
polymaths? The "know it all" guys, for example Averroes, a guy in medieval
Spain who was a philosopher, physician, and jurist too. There are many such
figures in history, but now it is impossible with the areas of knowledge
having grown so much that there is no option but specialization, with some
basics for a substrate, but no deep knowledge/skills in everything.
The same is happening in Software, IT, and of course open source.
Interestingly, this provides a business opportunity for 2bits and others,
because of the gap we fill. I see the same trend within Drupal, a few years
ago, companies would provide "Drupal consulting", now there are more
specialization "themers", "performance tuners", "developers", ....etc.
Sorry for the digression ...
> 1. Therefore, as much as possible you want sensible defaults that
> avoid common security problems.
I think that Linux distros have learned these lessons the hard way.
> Now when you install Ubuntu there is no SSH server enabled by default,
> and almost all ports are closed. I think that is sensible, because a
> newbie has to worry less about stupid SSH worms.=
Khalid M. Baheyeldin
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- Leonardo da Vinci
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the kwlug-disc