1. This is a great first step. While it sounds so 2003: I still deal with developers all the time that simply have no idea what to do or where to begin for *very basic* issues. Input validation. Output encoding. Or try to solve by doing crazy wild wrong things ("dangerous-string" blacklists, case-changes for case-sensitive language injection (xhtml/js) etc).
2. Most of the world is still not getting the "bug parade". >50%. You (Gary) may see a biased sample of more edjumacated folks by reading SC-L and working with a client sample that may be in the upper bounds of secure software knowledge. 3. Focusing on weak implementation practices ("bugs") is just fine. That's what most developers do. Implement. 4. Design and Pattern weaknesses are definitely essential. But that's not what most developers do. 5. SANS could and should have some separate, additional certifications: + "Non-dangerous requirements-gathering for Product Evangelists" + "Strong Software Design Principles for Business Owners" + "Strong Software Design Patterns for Software Architects/Lead Developers" + "How to describe mis-use case and dangerous omissions for people writing functional specifications" Those are all separate pieces of knowledge that, depending on the size of the organization, may all be separate people. Certainly most of the developers I've worked with over the years would find the above in the "WTF does this have to do with me?" category, and I can't say I blame them. And of course SANS makes money. Everything Allen Paller does is really good about getting lots of free community effort to generate data sets and/or tools they can charge other folks a lot of money for (CIS, SANS, SSI, Dshield, etc.). Sounds pretty smart to me. And I'd sure rather have someone following CIS guidelines or using SANS course-ware content than *nothing at all*. Cheers -- Arian Evans solipsistic software security sophist "I love deadlines. I like the whooshing sound they make as they fly by." - Douglas Adams On 5/15/07, Gary McGraw <[EMAIL PROTECTED]> wrote:
Hi Yo (and everyone else), I'm afraid that the current test focuses all of its attention on BUGS (in C/C++ and Java). While we certainly need to erradicate simple security bugs, there is much more to software security than the bug parade. Plus when you look into the material, the multiple choice format makes determining the correct answer impossible at times. I would rather move away from learning about bugs to learning about defensive programming to avoid bugs in the first place. The SANS material focuses entirely on the negative as far as I can tell. Here's a bug, there's a bug, everywhere a bug bug. Better than nothing? Maybe. SANS is very good an soliciting everyone's opinion, piling it all up in a nice package, and then charging users for the result. SANS is a for profit entity, not a university or a non-profit. Please don't forget that. As much as I would love to see a way to determine whether a random coder has security clue, I'm afraid all we will get out of this effort is perhaps a bit more awareness. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Johan Peeters Sent: Saturday, May 12, 2007 6:11 AM To: SC-L@securecoding.org Subject: Re: [SC-L] Darkreading: Secure Coding Certification I agree that multiple choice alone is inadequate to test the true breadth and depth of someone's security knowledge. Having contributed a few questions to the SANS pool, I take issue with Gary's article when it implies that you can pass the GSSP test while clueless. There is indeed a body of knowledge that is being tested. SANS has been soliciting comments on the document. kr, Yo On 5/11/07, Gary McGraw <[EMAIL PROTECTED]> wrote: > Hi all, > > As readers of the list know, SANS recently announced a certification scheme for secure programming. Many vendors and consultants jumped on the bandwagon. I'm not so sure the bandwagon is going anywhere. I explain why in my latest darkreading column: > > http://www.darkreading.com/document.asp?doc_id=123606 > > What do you think? Can we test someone's software security knowledge with a multiple choice test? Anybody seen the body of knowledge behind the test? > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > blog www.cigital.com/justiceleague > book www.swsec.com > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC ( http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > -- Johan Peeters http://johanpeeters.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________