Re: [SC-L] [WEB SECURITY] RE: blog post and open source vulnerabilities to blog about

CWE, CLASP, and some other information sources have a number of code snippets that highlight various weaknesses. In CWE, this code is easily extractable from the XML by grabbing the Demonstrative_Examples element, and we've even conveniently labeled examples with the various languages. You c

Re: [SC-L] market for training CISSPs how to code (Matt, Parsons)

At 7:36 PM +0200 3/18/10, AK wrote: > Who says so, in the context of web applications? > I can see it (somewhat) from a "desktop" application > perspective, but how is this relevant in web apps? Why should standards for a "web" application be different than for a "desktop" application ? -- Larry

Re: [SC-L] market for training CISSPs how to code

At 1:01 PM -0400 3/18/10, Wheeler, David A wrote: > Larry Kilgallen: >> Scripting languages should not be used for security-sensitive programs. > > Perhaps, but they are and will be used that way anyway. We need plan B. Ok, just so people understand it _is_ Plan B. > If the alternative is "use

Re: [SC-L] market for training CISSPs how to code (Matt, Parsons)

Hi all, We are drifting a bit away from my question but here is a forked question: Who says so, in the context of web applications? I can see it (somewhat) from a "desktop" application perspective, but how is this relevant in web apps? Cheers! Date: Wed, 17 Mar 2010 20:17:05 -0500 From: ljknew

Re: [SC-L] market for training CISSPs how to code

> At 7:27 PM +0200 3/17/10, AK wrote: > > Regarding training non-developers to write secure code, what are the > > circumstances that a non-developer would create code that would > > *require* security? As soon as a "non-developer" creates code, they are no longer a "non-developer". By definiti

Re: [SC-L] market for training CISSPs how to code (Matt Parsons)

On Wed, Mar 17, 2010 at 6:17 PM, ljknews wrote: > At 7:27 PM +0200 3/17/10, AK wrote: > >> Regarding training non-developers to write secure code, what are  the >> circumstances that a non-developer would create code that would >> *require* security? I am assuming that system administrators know t

Re: [SC-L] market for training CISSPs how to code (Matt Parsons)

On Mar 18, 2010, at 02:17, ljknews wrote: > Scripting languages should not be used for security-sensitive > programs. And your evidence for this statement is? Stephan ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscr

Re: [SC-L] market for training CISSPs how to code (Matt Parsons)

At 7:27 PM +0200 3/17/10, AK wrote: > Regarding training non-developers to write secure code, what are the > circumstances that a non-developer would create code that would > *require* security? I am assuming that system administrators know the > basics of their trade and scripting language of ch