Friday, May 16, 2008

article on security

awhile back, i was referred to an article by bruce schneier entitled "the ethics of vulnerability research" regarding the ethics of vulnerability research. (yeah, duh, girl, that is the title of the article!) i completely agree, not that he needs my vote. my opinion is that asking skilled security programmers not to try and hack into something is like saying programmers in general should stop looking for bugs.

although, i found the tone of the counterpoint article by marcus ranum a little too alarmist at the close, i like the idea of looking for ways to make vulnerabilities smaller up front by eliminating whole categories of failure possibilities. still, would it really help to put major check gates into application development tools that made somethings impossible because of the security risk? i think no. somebody is always going to have a great reason why they absolutely need to write that unmanaged code.

this topic is a somewhat new to me - i think of application security and data security from my limited context of user applications and can honestly say i have never considered myself capable enough to attempt any kind of root breach for fun...