- From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
- Date: Wed, 23 Aug 2023 16:26:00 +0900
- To: Seph Gentle <me@josephg.com>, Eric J Bowman <mellowmutt@zoho.com>, Willy Tarreau <w@1wt.eu>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Hello everybody, Before complaining that nobody reads RFCs (which is of course a problem), please note that BCP 56 (RFC 9205) is entitled "Building Protocols with HTTP", which will easily lead a potential reader to say "that's not for me, I'm just using HTTP, no new protocol here". Regards, Martin. On 2023-08-22 16:49, Seph Gentle wrote: > We could. But I doubt it would help. > > Frankly, I suspect less than 1% of working software developers have ever actually read any RFC (or BCP) published by the IETF. And the people who read specs aren't the people who need to be told not to run unauthenticated SQL queries on port 80. > > I was invited a few times to give guest lectures about computer science at General Assembly. For those who don't know, they run a 3 month "coding bootcamp", where they teach people just enough information about software development to get their foot in the door in the industry. Of their 60 classroom days, 0 of them are devoted to security. Their program seems to teach the philosophy of "If it seems to work, ship it". Needless to say, their students have no idea what the IETF is. They don't read any BCP documnets in their course. And despite writing web software, students graduate without really knowing HTTP. > > If you want to stop these ridiculous security vulnerabilities with education, it is those students you need to reach somehow. We could change some of the 9000 or so words in BCP56 to teach some information security. But it won't stop MoveIt from shipping insecure code. If they hired the sort of people who read BCP documents, I doubt they would have made these sort of mistakes in the first place. > > For my money, as an industry I think we need to solve this via the legal system. Harm caused by insecure software should be treated the same way that we treat harm caused by negligent builders, or negligent handling of food resulting in food poisoning. There should be much stricter penalties for data breaches like this. And companies shouldn't be able to wish away their liability with a EULA. If data security was an existential risk for companies, you bet security would become an essential part of their product development processes. > > But I think campaigning for this isn't part of the IETF's remit. We could change the BCP document, but I doubt it'll stem the tide of sloppy, insecure code. > > -Seph
Received on Wednesday, 23 August 2023 07:26:21 UTC