Secure Coding mailing list archives
Re: Spot the bug
From: Christopher Canova <ccanova () reachone com>
Date: Wed, 20 Jul 2005 21:41:37 +0100
John Steven wrote: I'm excited that Microsoft is reaching out and providing this learning aid. Most people I interview don't know how to spot some pretty simply vulnerable code constructs. I'll even have my newbies subscribe to this RSS for a spell, in hopes that their attack toolkit may be augmented. I have been waiting to see this sort of thing from MS for awhile now because it shows a shift in focus. I have been waiting for MS to catch on that coding with security in mind and comprehensive testing before deployment are at the heart and soul of the Software Development Life Cycle. It seems to me that they may be shifting from a Deploy-first-ask-questions-later tactic to a Code-it-right-before-its-out-the-door. The fact that they even are acknowledging, albeit lightly, that bugs are fun to spot may mean that they are shifting focus sooner rather than later. I am excited about the prospects of this, as well. But, some advice for Microsoft if they're listening: When the initial entrées are so ridiculously simple that they don't even bear a full minute of scrutiny, they are best served in sets of 10. That gives the audience enough problems to puzzle through that they can mentally engage. I don't think the "game" is actually a serious competition. I think they are introducing the concept to raise awareness about the issue, which is more than what they've done in the past. Because MS provides an API for other software development companies, they are often not in control of the programming practices for every vendor that uses the API's. Perhaps they are targeting an audience at the novice level and introducing the concept so they will be asking more serious questions elsewhere? In any case, I'm glad to see someone in MS has come out of the closet on this issue. -- Christopher Canova
Current thread:
- Spot the bug Mark Curphey (Jul 19)
- Re: Spot the bug ljknews (Jul 19)
- Re: Spot the bug Pascal Meunier (Jul 19)
- Re: Spot the bug Dave Aronson (Jul 21)
- Re: Spot the bug der Mouse (Jul 19)
- Re: Spot the bug Blue Boar (Jul 19)
- Re: Spot the bug der Mouse (Jul 21)
- Re: Spot the bug Blue Boar (Jul 19)
- Re: Spot the bug John Steven (Jul 19)
- Re: Spot the bug Christopher Canova (Jul 20)
- Re: Spot the bug Dave Aronson (Jul 21)
- Re: Spot the bug Christopher Canova (Jul 20)
- <Possible follow-ups>
- RE: Spot the bug Michael Howard (Jul 21)
- Re: Spot the bug ljknews (Jul 19)