WebApp Sec mailing list archives
Re: Secure Coding? Bah!
From: Juridian <Juridian () Juridian com>
Date: Thu, 22 Jan 2004 21:46:30 -0800
The SANS/GIAC security essentials course online lasts about 6 months but can be done in less. That course provides a general security overview covering many areas including windows, unix, intrusion detection, auditing, web security, and the cissp cbk. I think that most major institutions could cobble together something similar that they could teach in a quarter or two at the very least if they don't have one already. Something similar could be done for a class to teach secure software development practices. I think part of the problem stems from the fact that a majority of the books out there that teach development teach bad habits. A prime example that a colleague pointed out to me today is that the majority of ASP 3.0 books teach people to use inline sql (ignoring stored procedures) and rarely if ever show the reader how to check the validity of the input much less protect against sql injection. Knowledge of security keeps you from making silly mistakes that open your company up to liability when your users private information becomes not so private due to poor configuration of your application servers, or poor coding practices opening you up to sql injection attacks, or poor authentication techniques. It even keeps fraud to a minimum on your favorite multiplayer online game. That is what I want. - Ernie
However, there is more to computer science than security! A full course of study focusing on security may not be as useful as it sounds. Don't forget data structures, algorithms, databases, graphics, etc. When you look at it, security doesn't really DO anything. Do you really want a program that doesn't accomplish anything, other than being secure?
Current thread:
- Secure Coding? Bah! Mark Curphey (Jan 22)
- Re: Secure Coding? Bah! Adam Tuliper (Jan 22)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- RE: Secure Coding? Bah! Patrick Chavez (Jan 22)
- Re: Secure Coding? Bah! Juridian (Jan 23)
- Re: Secure Coding? Bah! Juridian (Jan 22)
- Re: Secure Coding? Bah! David Wall @ Yozons, Inc. (Jan 22)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- RE: Secure Coding? Bah! Tim Greer (Jan 23)
- RE: Secure Coding? Bah! Taco Fleur (Jan 23)
- RE: Secure Coding? Bah! Tim Greer (Jan 23)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- Re: Secure Coding? Bah! Adam Tuliper (Jan 22)
- <Possible follow-ups>
- Re: Secure Coding? Bah! Chris Kirschke (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 22)