Gadi, I feel like I've been here before, but I'll give it another shot anyway.
> Okay, than let's make some progress: > 1. Where and who is currently involved with doing this? > 2. What are they doing? > 3. Can we use their experience to make it a larger success? > 4. How do we begin doing something large-scale? The Secure Coding Initiative at CERT has a web site at www.securecoding.cert.org. The purpose of this site is to collect secure coding recommendations and rules for various programming languages. Our initial focus has been C and C++, but we are willing and interested in expanding this effort to other programming languages provided that we can find someone to manage the efforts. The C and C++ material on the site will be used as supplemental material to the Addison-Wesley book "Secure Coding in C and C++" in a "Secure Programming" course I am teaching this Spring at CMU (so it is being used to teach, as well as being a commercial and government resource). I am also working with other instructors at other educational institutions to develop secure coding curriculum. We have had significant community effort in the development of these secure coding standard practices so far, but we can use all the help we can get. If you would like to get involved, go the sight, sign up, and start reviewing the material. If you are qualified and would like to edit the material directly, send me email and I will grant you edit permissions. I think having a body of knowledge that identifies insecure coding practices and provides secure alternatives is a good first start, and not as easy as it sounds. --------- I also had another thought about improving the quality of code examples in texts. I know my publisher (Addison-Wesley), and I'm sure others, are very concerned about quality. I could ask my editor if they would be willing to make sure that someone with a security background reviewed any new programming texts. If we can come up with a list of subject matter experts willing to review new texts, I'm guessing they would be very happy to have our feedback. rCs _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php