Re: Spot the bug

[Christopher Canova <ccanova () reachone com>]

John Steven wrote:

I'm excited that Microsoft is reaching out and providing this learning aid.
Most people I interview don't know how to spot some pretty simply vulnerable
code constructs. I'll even have my newbies subscribe to this RSS for a
spell, in hopes that their attack toolkit may be augmented.


I have been waiting to see this sort of thing from MS for awhile now 
because it shows a shift in focus. I have been waiting for MS to catch 
on that coding with security in mind and comprehensive testing before 
deployment are at the heart and soul of the Software Development Life 
Cycle. It seems to me that they may be shifting from a 
Deploy-first-ask-questions-later tactic to a 
Code-it-right-before-its-out-the-door. The fact that they even are 
acknowledging, albeit lightly, that bugs are fun to spot may mean that 
they are shifting focus sooner rather than later. I am excited about the 
prospects of this, as well.



But, some advice for Microsoft if they're listening:

When the initial entrées are so ridiculously simple that they don't even
bear a full minute of scrutiny, they are best served in sets of 10. That
gives the audience enough problems to puzzle through that they can mentally
engage. 


I don't think the "game" is actually a serious competition. I think they 
are introducing the concept to raise awareness about the issue, which is 
more than what they've done in the past. Because MS provides an API for 
other software development companies, they are often not in control of 
the programming practices for every vendor that uses the API's. Perhaps 
they are targeting an audience at the novice level and introducing the 
concept so they will be asking more serious questions elsewhere?


In any case, I'm glad to see someone in MS has come out of the closet on 
this issue.


-- Christopher Canova