1:30 another thing he said, is "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. Hence to fight and conquer in all your battles is not supreme excellence. Supreme excellence consists in breaking the enemy's resistance without fighting." - This is also true about making a secure system. If you don't know how a Hacker thinks, you are going to have a hard time making your system even a bit secure, possible, but hard. If you don't know any side, you're going to be an easy target. The last part is even more true. If you break their will, e.g. by having a weird network architecture, or a honey pot (network), you can already do a lot. "Water shapes its course according to the nature of the ground over which it flows. The soldier works out his victory in relation to the foe whom he is facing. Therefore, just as water retains no constant shape, so in warfare there are no constant conditions." - Hackers are always going to use the easiest point of entry in your system, not the strongest, they are also going to change strategies if one doesn't work.
Sadly no mention of how to secure your code if you're developing for Windows. Nothing about crtdbg.h (making memory leaks insanely easy to find and fix since about 1993), secure C runtime functions (strcpy_s, etc), enable warnings about not using secure C runtime functions, making those warnings errors so insecure code won't compile, SAL, Code Analysis, etc.... These things are built into Visual Studio, no need to go install half a dozen other packages...
Excellent feedback, thank you. I do cover those when I do training along with the analogs for Linux. Unfortunately, with the time I had I did a more general talk that applied to secure coding on any platform. Sounds like a great follow-on for next year, though. Thanks again for your feedback.
Good idea! Secure secured data with more secure functions to check on whether the other secure functions are actually secure, and if they are not, just use more secure functions, because that should in theory make the insecurity packed in securely, at least. Security is so easy.
1:30 another thing he said, is "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. Hence to fight and conquer in all your battles is not supreme excellence. Supreme excellence consists in breaking the enemy's resistance without fighting." - This is also true about making a secure system. If you don't know how a Hacker thinks, you are going to have a hard time making your system even a bit secure, possible, but hard. If you don't know any side, you're going to be an easy target. The last part is even more true. If you break their will, e.g. by having a weird network architecture, or a honey pot (network), you can already do a lot.
"Water shapes its course according to the nature of the ground over which it flows. The soldier works out his victory in relation to the foe whom he is facing. Therefore, just as water retains no constant shape, so in warfare there are no constant conditions." - Hackers are always going to use the easiest point of entry in your system, not the strongest, they are also going to change strategies if one doesn't work.
This is why including C headers should be compiler warnings unless an -I-promise-I-know-what-Im-doing flag is passed to the compiler.
And then someone will make a commit to the main header file without a comment:
#DEFINE -I-promise-I-know-what-Im-doing
Fantastic pair of talks.
Sadly no mention of how to secure your code if you're developing for Windows. Nothing about crtdbg.h (making memory leaks insanely easy to find and fix since about 1993), secure C runtime functions (strcpy_s, etc), enable warnings about not using secure C runtime functions, making those warnings errors so insecure code won't compile, SAL, Code Analysis, etc.... These things are built into Visual Studio, no need to go install half a dozen other packages...
Excellent feedback, thank you. I do cover those when I do training along with the analogs for Linux. Unfortunately, with the time I had I did a more general talk that applied to secure coding on any platform. Sounds like a great follow-on for next year, though. Thanks again for your feedback.
Good idea! Secure secured data with more secure functions to check on whether the other secure functions are actually secure, and if they are not, just use more secure functions, because that should in theory make the insecurity packed in securely, at least. Security is so easy.