SANS List etc..

[shouvik at electrosoft-inc.com (Shouvik Bardhan)]

Guys,

 

I am new to the App Security area so Stupid Comments Alert firstly. Many
thanks for the insights that I get from the discussions on this board. I
have been doing design/development for nearly 25 years now and it is
interesting and frightening, how I hardly ever actively think (thought)
while coding about Security - I know, I know !!

 

So a few questions and comment from a newbie in the field

 

a)       Why is the meaning of input validation/output encoding so
passionately contested? Is the subject not well understood? Are the remedies
not well known? Is there a need to define the validation/protection in a
more formal manner? 

b)       I kind of like the OWASP T10, OWASP ASVS, OWASP Testing guide and
now the SANS25. To me the App Security is a new field for many of us and if
some smart folks get together and create "Things to consider" type of lists
- isn't it a good thing?  When DHS tells me to keep 7 days of water/food,
flash lights/batteries and a transistor radio - I think "well, this may or
may not be enough but fairly smart people have come up with a list and I
better take a note of that"  

c)       I am trying to understand why Gary said that teaching secure
programming at University Level is not a good idea. Maybe not as a CS102 and
CS202 class - there guys just need to be able to understand to write code.
But why is it not a good idea to teach secure programming in a MS
curriculum?

 

 

Thanks again.

-Shouvik

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20090115/432f3c87/attachment.html