This week's book giveaway is in the Java in General forum.
We're giving away four copies of Beginning Java 17 Fundamentals: Object-Oriented Programming in Java 17 and have ishori Sharan & Adam L Davis on-line!
See this thread for details.
Win a copy of Beginning Java 17 Fundamentals: Object-Oriented Programming in Java 17 this week in the Java in General forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Junilu Lacar
  • Rob Spoor
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Jesse Silverman
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Piet Souris
  • Frits Walraven

do security patterns make exploits more dangerous?

 
Ranch Hand
Posts: 108
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Generally speaking I like the idea of patterns in SW for many reasons. Two of the biggest reasons are that they save development time and reduce errors (not repeating other peoples' mistakes). For these same reasons security patterns seem to me to be a good idea.

One small advantage to roll-your-own security software is the fact that you did it your way and it's probably not exactly like 95% of the other systems out there. If someone discovers an exploit through your security it pretty much just affects you. Or more importantly, if someone discovers an exploit for someone else's system it probably won't affect yours. However, if everyone is following the same sort of security patterns and an exploit is discovered for one of those patterns doesn't that mean that a lot of systems will be affected?

Of course, if a well known pattern is exploited it will probably be patched rather quickly where a roll-your-own system might never get patched (if the comprimise is even noticed).

_M_
 
Ranch Hand
Posts: 150
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It would seem to me that if I roll my own, even though I come up with new code, I'm likely to fall into the same patterns as someone else coming up with code to solve the same problem. So, effectively, my choice becomes whether I'm implementing a pattern (likely bad) that I don't recognize, or implementing patterns that have been examined with an eye for security. Given that patterns are usually not created, but are generally documented after being recognized from best practices, I figure I want to copy the best.
 
hired gun
Posts: 250
MS IE Oracle Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I've always felt that when it comes to security that there's thousands of people out there trying to crack my stuff against me trying to write something secure.

So to me using a pattern may help to leverage some more brain power on my side of the equation.
 
Author
Posts: 159
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Good points and well said...Tina and John.
 
Mike Noel
Ranch Hand
Posts: 108
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the responses. They make sense. I wasn't trying to discredit security patterns. They seem like a GREAT idea to me. I'm not a security expert so any chance to leverage off of the thinking others have already done (as you mentioned, Tina) sounds good to me. It just struck me that using patterns might make exploits more dangerous. The pros definitely outweight the cons here though.

_M_
 
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Most of the security exploits are with the implementation, not the pattern itself. The patterns specifies the problem and how to solve it, not the code to implement that solution. This conversation crosses into the open source security debate and different people have different opinions on that issue.
 
reply
    Bookmark Topic Watch Topic
  • New Topic