Secure Coding mailing list archives
Re: Grass roots secure coding efforts
From: "Kenneth R. van Wyk" <ken () krvw com>
Date: Mon, 23 Aug 2004 19:00:29 +0100
Hans Westphal wrote: Other suggestions: Subscribe to Security lists: [EMAIL PROTECTED], [EMAIL PROTECTED] Self Education through books ... and Webcast's ... Thanks Hans -- good suggestions. I think, though, that what most of my students have wanted more than "just" information sources are suggestions of tangible things that they can start _doing_ in their journey to really practicing secure coding. For example, although most of them agree that a threat modeling process (a la STRIDE/DREAD) makes sense for the long run, it's too much to expect them to undertake right away (for all the reasons that I listed previously in this thread). So, the basic premise in the brainstorming that we went through in the classes has been to answer the question, "What tangible actions can they start taking immediately that will be both helpful and feasible to implement within existing budget/time constraints?" They jumped right on ideas like adding an information sharing portal/fileshare where they can share experiences, vetted designs, architectures, etc. That's a low cost, low risk thing that is easy to accomplish. (It remains to be seen if they actually make use of it, but that's another issue.) That said, I like including a list of useful lists, sites, e-zines, etc., that they can dive into to further their knowledge. (It amazes me how few of the software developers I've spoken with have ever even heard of Full-Disclosure, PHRACK, etc.) Cheers, Ken van Wyk http://www.KRvW.com
Current thread:
- Grass roots secure coding efforts Kenneth R. van Wyk (Aug 23)
- <Possible follow-ups>
- RE: Grass roots secure coding efforts Hans Westphal (Aug 23)
- Re: Grass roots secure coding efforts Kenneth R. van Wyk (Aug 23)