On Thu, Sep 2, 2010 at 2:21 PM, Sam Lai <[email protected]> wrote: > Martin, sounds like a sign that they're actually teaching their > students about such attack techniques, which is bad on your end, but > is probably a good thing given the comments here. > > Now that you mentioned uni, I have to say I don't recall ever being > taught anything about SQL or XSS injection techniques, or any other > basic attack vectors.
It's really implied isn't it. If you understand how string concatentation works, and how SQL works, it should be obvious that if the input isn't what you think it is, that it's possible to do "other things". > In fact, I explicitly remember there usually > being a statement on assignments saying that you can assume the input > will be valid. Well, the lecturer/teacher should specifically be called out on this as input validation is critically important, as you highlight. It may not always be their fault, if they are following some course guideline and just want to get the core stuff done. In my not so humble opinion (on this matter), like you suggest, there is significantly more that should be being done at the University/TAFE level in regards to secure-programming education. I still believe OWASP "could" do this, but I don't totally believe in the organisation as it stands right now. It would be nice if, say, Microsoft (through influence from Mark Curphey or similar) could open some doors and send some of their MVPs in to educate people on this matter. Once a month a little guest-presentation from an industry expert would go a long way I think (maybe this is already done, I'm not familiar with what happens in programming degrees these days). Even outside of direct "help" from Microsoft, I think any individual could discuss with OWASP or a similar organisation and come up with a way to contact Uni's and give a lecture on some industry-experienced approaches to actually developing securely, and the proper way to do validation and write to cookies and use hashing schemes and so on. If the current process isn't educating people correctly then lets change it. We have the power. The question is how much you care. > Maybe that's part of the problem. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
