On Aug 21, 2009, at 12:18 PM, Brad Andrews wrote:
This brings up a great point. How can we grade a program's security
level? Is it just a checkoff list? Which elements should be in
that checkoff list?
You may be interested in reading:
Teaching Secure Programming
IEEE Security and
I was thinking of a beginner-level programming class. I have and it
can be a challenge, especially if they don't have the programming
mindset. Even if they do, you don't have the time for the things you
spoke about. You are focusing on basic coding constructs first. :)
--
Brad
Now that you mention it
I was listening to the CERT podcast where you and a couple of others
discussed the BSIMM (probably a while back since I am well behind on
those). You made a statement along these lines and I immediately
thought that I disagreed! :)
I don't think software
Actually, we can't prove programs are bug free if by bug we also mean all
possible anomalous behaviours. My colleagues keep pointing this out to me when
I suggest that we should start leveraging the computational power of computing
grids to analyze complex software the same way other
We are approaching huge industry-wide application security critical
mass for the first time. Now is the time to strike. If all we teach is
input validation+canonicalization, query parameterization, and output
encoding, we stop xss and sqli via education
Jim Manico
On Aug 21, 2009, at
Great points Karen! We can't prove a program is secure in the same vein.
The danger I am spouting off about is the idea that we would solve the
software security problem if we just take a more scientific or
mature (or whatever) approach. I think those can definitely reduce
the risk, but
Are there any industry metrics that indicate what percentage of
full-time software developers actually learned coding in a university
setting? I actually learned in high-school, focused on business
administration in college (easiest major on the planet) and
learned/matured on the job. Likewise, I
Andy Steingruebl wrote:
I think our real question isn't just how to reach the professional
programmer trained via formal training programs, but also how to reach
the amateur programmer trained via books, trial+error, etc.
One area here is making sure examples are done correctly. The
Brad Andrews wrote:
Has anyone who holds to this taught a beginning level programming
class? Getting students to understand what a loop is can be hard
enough, given limited time. Diving into exploits and buffer overflows
can be much more difficult.
Getting into exploits at this level is