Re: Grass roots secure coding efforts

["Kenneth R. van Wyk" <ken () krvw com>]

Hans Westphal wrote:


Other suggestions:
Subscribe to Security lists:
[EMAIL PROTECTED], [EMAIL PROTECTED]

Self Education through books 
...

and Webcast's
...


Thanks Hans -- good suggestions.  I think, though, that what most of my 
students have wanted more than "just" information sources are 
suggestions of tangible things that they can start _doing_ in their 
journey to really practicing secure coding.  For example, although most 
of them agree that a threat modeling process (a la STRIDE/DREAD) makes 
sense for the long run, it's too much to expect them to undertake right 
away (for all the reasons that I listed previously in this thread). 

So, the basic premise in the brainstorming that we went through in the 
classes has been to answer the question, "What tangible actions can they 
start taking immediately that will be both helpful and feasible to 
implement within existing budget/time constraints?"  They jumped right 
on ideas like adding an information sharing portal/fileshare where they 
can share experiences, vetted designs, architectures, etc.  That's a low 
cost, low risk thing that is easy to accomplish.  (It remains to be seen 
if they actually make use of it, but that's another issue.)


That said, I like including a list of useful lists, sites, e-zines, 
etc., that they can dive into to further their knowledge.  (It amazes me 
how few of the software developers I've spoken with have ever even heard 
of Full-Disclosure, PHRACK, etc.)


Cheers,

Ken van Wyk
http://www.KRvW.com