Hans Westphal wrote:
Other suggestions: Subscribe to Security lists: [EMAIL PROTECTED], [EMAIL PROTECTED]
Self Education through books ...
and Webcast's
...
Thanks Hans -- good suggestions. I think, though, that what most of my students have wanted more than "just" information sources are suggestions of tangible things that they can start _doing_ in their journey to really practicing secure coding. For example, although most of them agree that a threat modeling process (a la STRIDE/DREAD) makes sense for the long run, it's too much to expect them to undertake right away (for all the reasons that I listed previously in this thread).
So, the basic premise in the brainstorming that we went through in the classes has been to answer the question, "What tangible actions can they start taking immediately that will be both helpful and feasible to implement within existing budget/time constraints?" They jumped right on ideas like adding an information sharing portal/fileshare where they can share experiences, vetted designs, architectures, etc. That's a low cost, low risk thing that is easy to accomplish. (It remains to be seen if they actually make use of it, but that's another issue.)
That said, I like including a list of useful lists, sites, e-zines, etc., that they can dive into to further their knowledge. (It amazes me how few of the software developers I've spoken with have ever even heard of Full-Disclosure, PHRACK, etc.)
Cheers,
Ken van Wyk http://www.KRvW.com
