Hi Anurag,
On Tue, Jun 26, 2012 at 1:53 PM, Anurag Agarwal
<anurag.agar...@yahoo.com> wrote:
> After speaking with a lot of developers we realized they are looking for a
> fun, quick way to enhance their knowledge about the secure coding aspects of
> development. We have put together a series of interactive quizzes which test
> security professionals’ and software developers’ secure development
> awareness while teaching them how to build more secure software. Please find
> links to the first two, below. The first quiz is based on the OWASP Top Ten
> Project and the second quiz is based on best practices of secure coding.
Forgive my position here, but asking developers to tell you about what
they don't know (and then how to teach it) seems like it has a number
of shortcomings. For example, how many C/C++ programmers asked you to
teach them about integrating with platform security features available
from the operating system? This is sometimes known as "platform
security" or "securing the tool chain", and would include the
following settings in a Visual Studio/Eclipse/makefile project:
* Visual Studio
** /W4
** /WAll
** /analyze (Enterprise Code Analysis, free download)
** /GS
** /SafeSEH (and SEHOP via the registry)
** /NXCOMPAT
** /dynamicbase
** strict_gs_check (#pragma, use on high risk files)
* GCC/LD
** -Wall
** -Wextra
** -Wconversion
** -Wformat=2 -Wformat-security
** -fstack-protector or fstack-protector-all
** -Wstrict-overflow
** Wl,-z,nodlopen
** Wl,-z,nodldump
** -Wl,-z,noexecstack
** -Wl,-z,noexecheap (as available)
** -Wl,-z,relro
** -Wl,-z,now
** -fPIE and -pie (or -fPIC and -pic for shared objects/dso's)
** -DFORTIFY_SOURCE (Glibc, as available)
I know of one financial institution that has 200+ C/C++ applications,
and a secure tool chain is not [currently] part of their security
blueprints or best practices. It seems obvious to me that a secure
tool chain is the first step in secure coding; and this is an
awareness problem.
Also, as soon as you kill the OWASP top 10 (or the top 19/24 deadly
sins, et al), there will another set of problems to take their place -
ad infinitum.
Jeff
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________
