Secure Coding mailing list archives
Re: Is developer education a lost cause?
From: "Joe Teff" <joe () joeteff com>
Date: Fri, 23 Jan 2004 03:58:15 +0000
I beleive that educating developers is the single best method to improve the security of software. Corners get cut every day because of constraints of one type or another. That is a fact of life and I don't see it going away. By educating the builders of the code, at least they understand what is possible and can start taking better precautions. By educating the decision makers, we can start redefining which corners just can't be cut. Or at least what the risks are if they are cut. There are too many instances where decisions are made because the potential result is not understood. Part of my job is to educate developers and architects about web application security. It is amazing how many do not understand the weaknesses of various technologies. There is tendency for developers to only think in terms of how thier software should be used; not in how someone may misuse it. This tendency causes vulnerabilities like SQL Injection, command injection, cross-site cripting, buffer overflows, hidden field/parameter/cookie tampering, direct browsing, directory traversal, etc. That doesn't mean they will write 100% safe code forever. Most developers tend to program more defensively once they are exposed to the possibility of vulnerable practices. My next goal is to start educating the decision makers. joe teff
Current thread:
- Is developer education a lost cause? Kenneth R. van Wyk (Jan 22)
- RE: Is developer education a lost cause? Jason Wilcox (Jan 22)
- Re: Is developer education a lost cause? Joe Teff (Jan 22)
- RE: Is developer education a lost cause? Michael S Hines (Jan 23)
- Re: Is developer education a lost cause? Pascal Meunier (Jan 23)
- Re: Is developer education a lost cause? Chris Wysopal (Jan 23)
- Re: Is developer education a lost cause? George Capehart (Jan 23)
- <Possible follow-ups>
- RE: Is developer education a lost cause? Robert Shields (Jan 23)
- Re: Is developer education a lost cause? Richard Moore (Jan 23)
- RE: Is developer education a lost cause? Giri, Sandeep (Jan 23)
- RE: Is developer education a lost cause? Robert Shields (Jan 23)
- Re: Is developer education a lost cause? Gary McGraw (Jan 23)
- RE: Is developer education a lost cause? Jeremy Epstein (Jan 30)
(Thread continues...)