Guys,
I am new to the App Security area so Stupid Comments Alert firstly. Many thanks for the insights that I get from the discussions on this board. I have been doing design/development for nearly 25 years now and it is interesting and frightening, how I hardly ever actively think (thought) while coding about Security - I know, I know !! So a few questions and comment from a newbie in the field a) Why is the meaning of input validation/output encoding so passionately contested? Is the subject not well understood? Are the remedies not well known? Is there a need to define the validation/protection in a more formal manner? b) I kind of like the OWASP T10, OWASP ASVS, OWASP Testing guide and now the SANS25. To me the App Security is a new field for many of us and if some smart folks get together and create "Things to consider" type of lists - isn't it a good thing? When DHS tells me to keep 7 days of water/food, flash lights/batteries and a transistor radio - I think "well, this may or may not be enough but fairly smart people have come up with a list and I better take a note of that" c) I am trying to understand why Gary said that teaching secure programming at University Level is not a good idea. Maybe not as a CS102 and CS202 class - there guys just need to be able to understand to write code. But why is it not a good idea to teach secure programming in a MS curriculum? Thanks again. -Shouvik
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
