Hawaiian, the Bible, and Secure Coding
As I talked about in my last blog entry, what free time I have not working for Oracle is filled with a magpie's interests (magpies have all sorts of things in their nest that they collect; anything so long as it is "interesting"). One of my passions is for the Hawaiian language, which I am assiduously trying to learn. (I usually have a couple of "How-To" books with me on planes, and a bunch of flashcards I flip through while waiting in airports.) As I know no native speakers to converse with, I resort to speaking Hawaiian to Thunder, my Siberian Husky, who understands everything food and play-related (Makemake ‘oe i kāu mea pa'ani? - "Do you want your toy?") and who assiduously ignores anything that's a command (E kū ‘oe - "Stay.") Smart dog; he has trained me well.
Hawaiian is a rich language that was passed down through oral tradition, e.g., through mele (chants), and hula (dance). However, the written form of Hawaiian was created by Christian missionaries in the early 19th century, so that they could translate the Bible into Hawaiian, as part of the Great Commission to preach the gospel to all the lands. It occurs to me that there are some similarities between trying to learn a beautiful—but not widely spoken—language and trying to teach developers to write secure code. If you are trying to "convert the heathen," by convincing them to repent of their sins, you need to put the gospel (of secure coding, in this case) into a language that they understand.
There are a lot of arguments in academic circles about who actually wrote the Bible, when the stories were written down, even whether the people in it really existed. Whether you think the Bible is history, oral tradition, or the Word of God, the Bible includes stories that are not all sweetness and light and that are not complimentary to all the people profiled. (For example, according to the Bible, King David was greatly loved by God, yet he was an adulterer and a murderer.)
Oracle Secure Coding Standards reflect both "oral tradition" and actual history of coding at Oracle. Like the Bible, they include the good, the bad, and the ugly, because we use our own "sins of the past" as examples in the text. The reason we do this is that we feel developers can learn best from the mistakes or sins (nā hewa in Hawaiian) of others. Otherwise, the discussion of security vulnerabilities becomes an academic argument; e.g., "Nobody would ever really do that would they? Besides, this is behind a firewall." Ultimately, the Oracle Secure Coding Standards are not the Word of God, but we feel that in addition to an academic discussion of why secure coding matters, and how specific attacks are enabled through poor coding practice, a story of what went wrong with a development group in the past, why it was a problem, and in some cases what it cost us to fix the issue, helps people understand secure coding better than mere technical explanations ever could.
The Oracle Secure Coding Standards have been expanded from a simple explanation of what a buffer overflow is (that I wrote up years ago) to over 200 pages, through the auspices of many contributors, most of whom work for me. It's a good time to say mahalo nui loa (thanks very much) to our Chief Hacking Officer and others (the ethical hacking team) who have worked on, contributed to, and reviewed the secure coding standards, and the program managers (thanks, Evelyn!) who turned them into training classes.
The last verse of almost any Hawaiian song typically begins: Ha'ina' ia mai ana ka puana: "Tell the story." You know what the song is about because the song itself tells you what it was about. Our secure coding standards, and the training we do to help developers understand them, "tell the story," or "sing the refrain."
I've had people ask me why I am spending my time learning a language that "isn't useful for business, like Spanish or Chinese." My answer would be that many things in life that really matter are not "valuable" in the sense of putting a price tag on them. In particular, when I listen to Hawaiian music, as I have for many years, I no longer only hear only a beautiful melody, great voices and ki ho ‘alu (Hawaiian slack key), but I hear the words—and understand them—in the language in which the song was written. It is inexpressively beautiful, and priceless. E ola mau ka ‘ōlelo Hawai'i! (The language of Hawai'i lives!)
I hope that what will happen over time as we continue to invest in secure coding tools, classes, and coding standards, isn't merely that developers read the stories, and "turn away from their sins," but that they learn to hear the music in the language it was written in, and respond to it. Writing secure code isn't just a technical exercise; it is something that matters. There is a beauty in it, in fact.
Pau ka ha'awina (End of the lesson).
For more reading:
A good book on secure coding is Building Secure Software: How to Avoid Security Problems the Right Way by John Viega and Gary McGraw.
For some interesting reading on who wrote the Bible: Who Wrote the Bible by Richard E. Friedman.
You can find the Baibala Hawai'i (Hawaiian Bible) online at http://baibala.org/. For some good Hawaiian language resources online, try the Hawaiian language website at http://www.geocities.com/~olelo/. In particular, Hawaiian for Your Pet at http://www.geocities.com/TheTropics/Shores/6794/wl-hawaiianforyourpet.html
And last but not least, check out the music of Hapa (http://www.hapa.com). If that does not make you love all things Hawaiian, nothing will. Mahalo nui loa nô nâ mele, Nathan ame Barry.
