Re: [SC-L] market for training CISSPs how to code (Matt Parsons)
On Mar 18, 2010, at 02:17, ljknews wrote: Scripting languages should not be used for security-sensitive programs. And your evidence for this statement is? Stephan ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] market for training CISSPs how to code (Matt, Parsons)
Hi all, We are drifting a bit away from my question but here is a forked question: Who says so, in the context of web applications? I can see it (somewhat) from a desktop application perspective, but how is this relevant in web apps? Cheers! Date: Wed, 17 Mar 2010 20:17:05 -0500 From: ljknews ljkn...@mac.com To: sc-l@securecoding.org Subject: Re: [SC-L] market for training CISSPs how to code (Matt Parsons) Message-ID: p05200f26c7c72f5b9...@[146.115.107.213] Content-Type: text/plain; charset=us-ascii At 7:27 PM +0200 3/17/10, AK wrote: Regarding training non-developers to write secure code, what are the circumstances that a non-developer would create code that would *require* security? I am assuming that system administrators know the basics of their trade and scripting language of choice so security there is taken care of Scripting languages should not be used for security-sensitive programs. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] market for training CISSPs how to code (Matt, Parsons)
At 7:36 PM +0200 3/18/10, AK wrote: Who says so, in the context of web applications? I can see it (somewhat) from a desktop application perspective, but how is this relevant in web apps? Why should standards for a web application be different than for a desktop application ? -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] [WEB SECURITY] RE: blog post and open source vulnerabilities to blog about
CWE, CLASP, and some other information sources have a number of code snippets that highlight various weaknesses. In CWE, this code is easily extractable from the XML by grabbing the Demonstrative_Examples element, and we've even conveniently labeled examples with the various languages. You could also grab the CVE real-world examples from the Observed_Examples element. Note that the code examples are by no means complete, but they might be good enough to start with. If you pore through CVE, you will soon realize that it can be very time-consuming to go from a real-world open-source vuln report to the actual code snippet. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___