Hawaiian, the Bible, and Secure Coding

As I talked about in my last blog entry, what free time I have not working for Oracle is filled with a magpie's interests (magpies have all sorts of things in their nest that they collect; anything so long as it is "interesting"). One of my passions is for the Hawaiian language, which I am assiduously trying to learn. (I usually have a couple of "How-To" books with me on planes, and a bunch of flashcards I flip through while waiting in airports.) As I know no native speakers to converse with, I resort to speaking Hawaiian to Thunder, my Siberian Husky, who understands everything food and play-related (Makemake ‘oe i kāu mea pa'ani? - "Do you want your toy?") and who assiduously ignores anything that's a command (E kū ‘oe - "Stay.") Smart dog; he has trained me well.

Hawaiian is a rich language that was passed down through oral tradition, e.g., through mele (chants), and hula (dance). However, the written form of Hawaiian was created by Christian missionaries in the early 19th century, so that they could translate the Bible into Hawaiian, as part of the Great Commission to preach the gospel to all the lands. It occurs to me that there are some similarities between trying to learn a beautiful—but not widely spoken—language and trying to teach developers to write secure code. If you are trying to "convert the heathen," by convincing them to repent of their sins, you need to put the gospel (of secure coding, in this case) into a language that they understand.

There are a lot of arguments in academic circles about who actually wrote the Bible, when the stories were written down, even whether the people in it really existed. Whether you think the Bible is history, oral tradition, or the Word of God, the Bible includes stories that are not all sweetness and light and that are not complimentary to all the people profiled. (For example, according to the Bible, King David was greatly loved by God, yet he was an adulterer and a murderer.)

Oracle Secure Coding Standards reflect both "oral tradition" and actual history of coding at Oracle. Like the Bible, they include the good, the bad, and the ugly, because we use our own "sins of the past" as examples in the text. The reason we do this is that we feel developers can learn best from the mistakes or sins (nā hewa in Hawaiian) of others. Otherwise, the discussion of security vulnerabilities becomes an academic argument; e.g., "Nobody would ever really do that would they? Besides, this is behind a firewall." Ultimately, the Oracle Secure Coding Standards are not the Word of God, but we feel that in addition to an academic discussion of why secure coding matters, and how specific attacks are enabled through poor coding practice, a story of what went wrong with a development group in the past, why it was a problem, and in some cases what it cost us to fix the issue, helps people understand secure coding better than mere technical explanations ever could.

The Oracle Secure Coding Standards have been expanded from a simple explanation of what a buffer overflow is (that I wrote up years ago) to over 200 pages, through the auspices of many contributors, most of whom work for me. It's a good time to say mahalo nui loa (thanks very much) to our Chief Hacking Officer and others (the ethical hacking team) who have worked on, contributed to, and reviewed the secure coding standards, and the program managers (thanks, Evelyn!) who turned them into training classes.

The last verse of almost any Hawaiian song typically begins: Ha'ina' ia mai ana ka puana: "Tell the story." You know what the song is about because the song itself tells you what it was about. Our secure coding standards, and the training we do to help developers understand them, "tell the story," or "sing the refrain."

I've had people ask me why I am spending my time learning a language that "isn't useful for business, like Spanish or Chinese." My answer would be that many things in life that really matter are not "valuable" in the sense of putting a price tag on them. In particular, when I listen to Hawaiian music, as I have for many years, I no longer only hear only a beautiful melody, great voices and ki ho ‘alu (Hawaiian slack key), but I hear the words—and understand them—in the language in which the song was written. It is inexpressively beautiful, and priceless. E ola mau ka ‘ōlelo Hawai'i! (The language of Hawai'i lives!)

I hope that what will happen over time as we continue to invest in secure coding tools, classes, and coding standards, isn't merely that developers read the stories, and "turn away from their sins," but that they learn to hear the music in the language it was written in, and respond to it. Writing secure code isn't just a technical exercise; it is something that matters. There is a beauty in it, in fact.

Pau ka ha'awina (End of the lesson).

For more reading:

A good book on secure coding is Building Secure Software: How to Avoid Security Problems the Right Way by John Viega and Gary McGraw.

For some interesting reading on who wrote the Bible: Who Wrote the Bible by Richard E. Friedman.

You can find the Baibala Hawai'i (Hawaiian Bible) online at http://baibala.org/. For some good Hawaiian language resources online, try the Hawaiian language website at http://www.geocities.com/~olelo/. In particular, Hawaiian for Your Pet at http://www.geocities.com/TheTropics/Shores/6794/wl-hawaiianforyourpet.html
And last but not least, check out the music of Hapa (http://www.hapa.com). If that does not make you love all things Hawaiian, nothing will. Mahalo nui loa nô nâ mele, Nathan ame Barry.


Ms. Davidson, This is not about Hawaii. I don't know any other way to reach you. I hope you read this. Regarding your comments about bad programmers costing $59 billion. I agree with everything you say. Absolutely. 100%. It is on the mark. But what I find ironic is that Oracle error messages NEVER display the name of the database nor the table nor the SQL that caused the problem. Most often one error message can be caused by a myriad of possible explanations. We have wasted days on failing Oracle install programs that stop with NO EXPLANATION! Support can hardly help because they stop with NO EXPLANATION! Do you have any idea how many weeks of total time I and my collegues have wasted because Oracle software produces useless and meaningless error messages? Do you have any idea how many billions of dollars are wasted by companies in total because Oracle programmers were too lazy to put out good error messages and Oracle did not care enough to provide standards to these programs. The very same situation you decry in the industry? I am a programmer. I have never in my life put out any error message that did not provide sufficient information so that someone immediately knew what the problem was. I hate wasting people's time. I just find your comments somewhat ironic and had to lash out. Jerry Lerman National Grid USA Westboro, MA

Posted by Jerry Lerman on May 27, 2006 at 05:45 AM PDT #

Mary Ann, I learned a bit of the Hawaiian language while living there and now spend some time plugged into Rosetta Stone for lessons in Spanish (my first language but rusty), Portuguese, Mandarin, Japanese, etc. Love the music of Gabby, Israel "IZ" Kamakawiwo'ole and many others that keep the spirit alive. Suspect that developers will continue to be lazy about coding without much consideration for security, etc until stronger emphasis is placed on QA testing for security, performance, etc. Mediocrity is for those of undirected passions. Mark Sigler Director, Database Solutions Forsythe Solutions Group msigler@forsythe.com Moanalua High School '79

Posted by Mark Sigler on June 08, 2006 at 11:30 AM PDT #

Dear Ms. Davidson, As someone who was born and raised in Hawaii, and who studied the Bible as a historical document in college, I enjoyed reading your thoughts on how an understanding of history and tradition can help developers adhere to secure coding standards. It is an interesting analogy.

Posted by Becky Ikehara on June 09, 2006 at 05:57 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed



« June 2016