<[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Secured by aspStation Sender: [EMAIL PROTECTED] Precedence: bulk Mailing-List: contact <[EMAIL PROTECTED]> ; run by MajorDomo List-Id: Secure Coding Mailing List <sc-l.securecoding.org> List-Post: <mailto:[EMAIL PROTECTED]> List-Subscribe: <http://www.securecoding.org/list/> List-Unsubscribe: <http://www.securecoding.org/list/> List-Help: <http://www.securecoding.org/list/charter.php> List-Archive: <http://lists.virus.org> Delivered-To: mailing list [EMAIL PROTECTED] Delivered-To: moderator for [EMAIL PROTECTED]
Dana Epp wrote: > I think we have to go one step further. > > Its nice to know what the attack patterns are. A better thing to do is > to know how to identify them during threat modeling, and then apply > safeguards to mitigate the risk. ie: We need a merge of thoughts from > "Exploiting Software" and "Building Secure Software" into a single > source... where attack and defense can be spoken about together. I fully agree with you, Dana, and it's a good point. That said, though, let me just revisit the observation that I made at the beginning of this thread. In my discussions with a _whole bunch_* of developers, I've noted that few of them even bother to notice security faults in software beyond the most cursory levels. (*No, this doesn't represent a statistical sampling or any scientific study of any sorts; just my gut feel.) The observation came from noticing how few developers read, or are even aware of the existance of things like Full-Disclosure, Bugtraq, PHRACK, and RISKS. Gunnar Peterson noted that security is just one among many "*-ilities" that developers have to contend with, and that makes good sense to me. So, I guess that the real question should be, "how do we get software developers _in general_ to sit up and notice software security?" Training, books, etc., are well and good, but they presuppose that the developer has already passed the first hurdle of noticing that security is an issue. I'm convinced that most developers will quickly understand at least most of the issues once they start reading/learning. Cheers, Ken van Wyk KRvW Associates, LLC http://www.KRvW.com
