"Would you and/or other members of the OpenBSD coders consider
writing a book on secure, bug-free coding and auditing? Most
programming books feature sample code that is written for
pedagogical purposes. Quite often this runs contrary to how secure
code should be written, leaving a gap in many a programmers
knowledge. A book on audinting and how to avoid security pitfalls
when coding would also make your life easier - less code to audit
for OpenBSD, and more time top concentrate on nifty new
"There is perhaps a split between the two issues you bring up.
On the one side is secure coding, as in code written to be secure
by the original author(s). On the other side, auditing, which is
where an outsider (or an insider) later on goes and tries to clean
up the mess which remains. And there is always a mess. Perhaps part
of the problem is that a huge gap lies between these two. In the
end though, I think that a book on such a topic would probably have
to repeat the same thing every second paragraph, throughout the
book: Understand the interfaces which you are coding to! Understand
the interfaces which you are coding to! Most of the security (or
simply bug) issues we audited out of our source tree are just that.
The programmer in question was a careless slob, not paying
attention to the interface he was using. The repeated nature of the
same classes of bugs throughout the source tree, also showed us
that most programmers learn to code by (bad) examples...."
"Has the OpenBSD team ever proposed looking into how to create a
'secured ports' tree, or some other similar system, that would
ensure that many of the applications people specifically want
secure platforms like OpenBSD to run could be as trusted as the
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.