John Steven wrote:
I'm excited that Microsoft is reaching out and providing this learning aid.
Most people I interview don't know how to spot some pretty simply vulnerable
code constructs. I'll even have my newbies subscribe to this RSS for a
spell, in hopes that their attack toolkit may be augmented.
I have been waiting to see this sort of thing from MS for awhile now
because it shows a shift in focus. I have been waiting for MS to catch
on that coding with security in mind and comprehensive testing before
deployment are at the heart and soul of the Software Development Life
Cycle. It seems to me that they may be shifting from a
Deploy-first-ask-questions-later tactic to a
Code-it-right-before-its-out-the-door. The fact that they even are
acknowledging, albeit lightly, that bugs are fun to spot may mean that
they are shifting focus sooner rather than later. I am excited about the
prospects of this, as well.
But, some advice for Microsoft if they're listening:
When the initial entrées are so ridiculously simple that they don't even
bear a full minute of scrutiny, they are best served in sets of 10. That
gives the audience enough problems to puzzle through that they can mentally
engage.
I don't think the "game" is actually a serious competition. I think they
are introducing the concept to raise awareness about the issue, which is
more than what they've done in the past. Because MS provides an API for
other software development companies, they are often not in control of
the programming practices for every vendor that uses the API's. Perhaps
they are targeting an audience at the novice level and introducing the
concept so they will be asking more serious questions elsewhere?
In any case, I'm glad to see someone in MS has come out of the closet on
this issue.
-- Christopher Canova