Welcome Shouvik, I'll address your third point. I am ALL FOR teaching software security at the university level (and have been actively working with universities for over a decade). I just don't think it is realistic to try to push the problem off on universities and hope that they will solve it. As I have said, I would love to be proven wrong regarding my opinion on whether adding software security to a curriculum us realistic. For more on this, see page 98 of "Software Security" <http://www.swsec.com>.
I do hope that academic programs will not focus on the bug parade approach, however. Building a course around the OWASP top ten or the CWE/SANS top 25 would be rather silly. I would rather see vulns like this covered in every programming course and a software security course focused on the touchpoints (especially code review and architectural risk analysis). One thing emphasized by outstanding software security initiatives (think Microsoft) is that teaching developers and architects how to do things right is far superior to an after the fact analysis approach driven by audit and regulations. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On 1/15/09 9:08 AM, "Shouvik Bardhan" <shou...@electrosoft-inc.com> wrote: Guys, I am new to the App Security area so Stupid Comments Alert firstly. Many thanks for the insights that I get from the discussions on this board. I have been doing design/development for nearly 25 years now and it is interesting and frightening, how I hardly ever actively think (thought) while coding about Security - I know, I know !! So a few questions and comment from a newbie in the field a) Why is the meaning of input validation/output encoding so passionately contested? Is the subject not well understood? Are the remedies not well known? Is there a need to define the validation/protection in a more formal manner? b) I kind of like the OWASP T10, OWASP ASVS, OWASP Testing guide and now the SANS25. To me the App Security is a new field for many of us and if some smart folks get together and create "Things to consider" type of lists - isn't it a good thing? When DHS tells me to keep 7 days of water/food, flash lights/batteries and a transistor radio - I think "well, this may or may not be enough but fairly smart people have come up with a list and I better take a note of that" c) I am trying to understand why Gary said that teaching secure programming at University Level is not a good idea. Maybe not as a CS102 and CS202 class - there guys just need to be able to understand to write code. But why is it not a good idea to teach secure programming in a MS curriculum? Thanks again. -Shouvik _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
