Software application development
This blog is intended to provoke discussion and exchange between like minded software application developers, engineers, architects, project managers - and keen hobbyists too.
Friday 20 March 2009, 7:05 AM
Developer guidance on “unsafe” cryptographic algorithms
With the UK’s Infosecurity Europe show little more than a month away now, the security vendor community is busily polishing up its latest batch of cure-alls and wonder-tools to aid developers and security specialists in the good fight against ‘rouge’ code.
There will be talk of firewalls, new detection techniques and possibly even self-learning apps that use social networking threads to gauge threat status as viral malware starts to evidence itself across the web.
While it would be unfair to say that some of this will lean towards scaremongering, there will no doubt be some pretty creative story pitches.
A vague whisper of the kind of report that may surface next month landed (safely and without malicious intent) in my inbox earlier this week. Centred around developer ‘confusion’ over safe versus unsafe cryptographic algorithms, there is now a “manifesto” to provide programmers with an encryption check-list to ensure safer builds result at every level.
So an unsafe cryptographic algorithms guide; hogwash, hullabaloo or home-truth?
The report is available here for free download without registration. Unsurprisingly there is a security vendor behind this; in this case it is Fortify. Credit to them for at least making it free without any extra surfing on their site over and above the link I have shown here.
Before you get your self a cup of tea and get ready to phone your CTO with ground-breaking news, this is an eight page “manifesto” in 1409 words – and 318 of those are the references appendix. So it’s not exactly the security developer’s Magna Carta.
That being said, the report’s author has taken the trouble to draw an important distinction and differentiate between problems that introduce real risk to systems being developed today, as opposed to hypothetical research focused on attacks that won’t be feasible in the mainstream for years.
As always with these things, be as sceptical about the validity of the reports and tools being proffered as you about the very threats that exist on the web and inside the systems and ecosystem in which you live. That way, we all stay sharp and we all stay safe I reckon.
There will be talk of firewalls, new detection techniques and possibly even self-learning apps that use social networking threads to gauge threat status as viral malware starts to evidence itself across the web.
While it would be unfair to say that some of this will lean towards scaremongering, there will no doubt be some pretty creative story pitches.
A vague whisper of the kind of report that may surface next month landed (safely and without malicious intent) in my inbox earlier this week. Centred around developer ‘confusion’ over safe versus unsafe cryptographic algorithms, there is now a “manifesto” to provide programmers with an encryption check-list to ensure safer builds result at every level.
So an unsafe cryptographic algorithms guide; hogwash, hullabaloo or home-truth?
The report is available here for free download without registration. Unsurprisingly there is a security vendor behind this; in this case it is Fortify. Credit to them for at least making it free without any extra surfing on their site over and above the link I have shown here.
Before you get your self a cup of tea and get ready to phone your CTO with ground-breaking news, this is an eight page “manifesto” in 1409 words – and 318 of those are the references appendix. So it’s not exactly the security developer’s Magna Carta.
That being said, the report’s author has taken the trouble to draw an important distinction and differentiate between problems that introduce real risk to systems being developed today, as opposed to hypothetical research focused on attacks that won’t be feasible in the mainstream for years.
As always with these things, be as sceptical about the validity of the reports and tools being proffered as you about the very threats that exist on the web and inside the systems and ecosystem in which you live. That way, we all stay sharp and we all stay safe I reckon.
PreviousComments on this post
'rouge' code?
I've not come across this jargon - presumably it's malware propagated by those of a politically leftward leaning?
This comment has been deleted at the users request
Well - if the PR world can coin a phrase or two I thought it was probably open season for new jargon.
:-)
Adrian
